diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index e7c52e9b0fb..e7db20a6d7e 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -65,6 +65,7 @@ /SPECS/moby-runc/* @microsoft/cbl-mariner-container-runtime /SPECS/kata-containers/* @microsoft/cbl-mariner-kata-containers /SPECS/kata-containers-cc/* @microsoft/cbl-mariner-kata-containers +/SPECS/virtiofsd/* @microsoft/cbl-mariner-kata-containers /SPECS/cloud-hypervisor/* @microsoft/cbl-mariner-virtualization /SPECS/hvloader/* @microsoft/cbl-mariner-kata-containers diff --git a/.github/workflows/check-clean-stage.yml b/.github/workflows/check-clean-stage.yml index 73fadc15cbd..fce02a824e7 100644 --- a/.github/workflows/check-clean-stage.yml +++ b/.github/workflows/check-clean-stage.yml @@ -9,6 +9,8 @@ on: pull_request: branches: [main, dev, 1.0*, 2.0*, fasttrack/*] +permissions: read-all + jobs: spec-clean-stage-check: name: Spec %clean stage check diff --git a/.github/workflows/check-entangled-specs.yml b/.github/workflows/check-entangled-specs.yml index e1f58c2bb32..fc0962302ad 100644 --- a/.github/workflows/check-entangled-specs.yml +++ b/.github/workflows/check-entangled-specs.yml @@ -12,6 +12,8 @@ on: pull_request: branches: [main, dev, 1.0*, 2.0*, fasttrack/*] +permissions: read-all + jobs: check: name: Spec Entanglement Mismatch Check diff --git a/.github/workflows/check-kernel-config.yml b/.github/workflows/check-kernel-config.yml index 501a7e0d242..00401b81282 100644 --- a/.github/workflows/check-kernel-config.yml +++ b/.github/workflows/check-kernel-config.yml @@ -16,6 +16,8 @@ on: paths: - 'SPECS/kernel*/config*' +permissions: read-all + jobs: check: name: Kernel configs check @@ -25,7 +27,7 @@ jobs: # Checkout the branch of our repo that triggered this action - name: Workflow trigger checkout uses: actions/checkout@v4 - + - name: Get base commit for PRs if: ${{ github.event_name == 'pull_request' }} run: | diff --git a/.github/workflows/check-license-map.yml b/.github/workflows/check-license-map.yml index 274793c0b76..0ff41a14ce1 100644 --- a/.github/workflows/check-license-map.yml +++ b/.github/workflows/check-license-map.yml @@ -11,6 +11,8 @@ on: pull_request: branches: [main, dev, 1.0*, 2.0*, fasttrack/*] +permissions: read-all + jobs: check: name: Spec License Map Check diff --git a/.github/workflows/check-livepatches.yml b/.github/workflows/check-livepatches.yml index d77127a0593..9c5fc5ea516 100644 --- a/.github/workflows/check-livepatches.yml +++ b/.github/workflows/check-livepatches.yml @@ -9,6 +9,8 @@ on: pull_request: branches: [2.0, fasttrack/*] +permissions: read-all + jobs: spec-check: name: Livepatches check @@ -51,7 +53,7 @@ jobs: #################### CHECK FAILURE #################### Livepatch specs need to be updated! Run the following command to perform the update: - + toolkit/scripts/livepatching/update_livepatches.sh #################### CHECK FAILURE #################### diff --git a/.github/workflows/check-manifests.yml b/.github/workflows/check-manifests.yml index 161c4025edc..5102ecff3bf 100644 --- a/.github/workflows/check-manifests.yml +++ b/.github/workflows/check-manifests.yml @@ -9,6 +9,8 @@ on: pull_request: branches: [main, dev, 1.0*, 2.0*, fasttrack/*] +permissions: read-all + jobs: build: name: Check Manifests diff --git a/.github/workflows/check-package-cgmanifest.yml b/.github/workflows/check-package-cgmanifest.yml index f399ddd38cf..f766bd41f10 100644 --- a/.github/workflows/check-package-cgmanifest.yml +++ b/.github/workflows/check-package-cgmanifest.yml @@ -9,6 +9,8 @@ on: pull_request: branches: [main, dev, 1.0*, 2.0*, fasttrack/*] +permissions: read-all + jobs: build: diff --git a/.github/workflows/check-spec.yml b/.github/workflows/check-spec.yml index 5a3fc7d3921..4fb30e1f4af 100644 --- a/.github/workflows/check-spec.yml +++ b/.github/workflows/check-spec.yml @@ -9,6 +9,8 @@ on: pull_request: branches: [main, dev, 1.0*, 2.0*, fasttrack/*] +permissions: read-all + jobs: spec-check: name: Spec files check diff --git a/.github/workflows/check-static-glibc.yml b/.github/workflows/check-static-glibc.yml index 55346dd0516..7ac9a372347 100644 --- a/.github/workflows/check-static-glibc.yml +++ b/.github/workflows/check-static-glibc.yml @@ -10,6 +10,8 @@ on: pull_request: branches: [main, dev, 1.0*, 2.0*, fasttrack/*] +permissions: read-all + jobs: spec-check: name: Static glibc version check diff --git a/.github/workflows/go-test-coverage.yml b/.github/workflows/go-test-coverage.yml index e7d387fabc8..f7cd3c95424 100644 --- a/.github/workflows/go-test-coverage.yml +++ b/.github/workflows/go-test-coverage.yml @@ -9,6 +9,8 @@ on: pull_request: branches: [main, dev, 1.0*, 2.0*, fasttrack/*] +permissions: read-all + env: EXPECTED_GO_VERSION: "1.20" diff --git a/.github/workflows/lint-specs.yml b/.github/workflows/lint-specs.yml index 91b3f0ed71f..fc3ff4fb5e1 100644 --- a/.github/workflows/lint-specs.yml +++ b/.github/workflows/lint-specs.yml @@ -13,6 +13,8 @@ on: - '**.spec' branches: [main, dev, 1.0*, 2.0*, fasttrack/*] +permissions: read-all + jobs: spec-lint: name: Spec Linting diff --git a/.github/workflows/quickstart_1.0.yml b/.github/workflows/quickstart_1.0.yml index 89e2dac4af7..0c7c30d2328 100644 --- a/.github/workflows/quickstart_1.0.yml +++ b/.github/workflows/quickstart_1.0.yml @@ -10,6 +10,8 @@ on: schedule: - cron: "0 15 * * *" +permissions: read-all + jobs: get_input-srpms: runs-on: ubuntu-latest diff --git a/.github/workflows/quickstart_2.0.yml b/.github/workflows/quickstart_2.0.yml index f6ce72493b6..19514a62c89 100644 --- a/.github/workflows/quickstart_2.0.yml +++ b/.github/workflows/quickstart_2.0.yml @@ -10,6 +10,8 @@ on: schedule: - cron: "0 15 * * *" +permissions: read-all + jobs: get_input-srpms: runs-on: ubuntu-latest diff --git a/.pipelines/containerSourceData/Dockerfile-Initial b/.pipelines/containerSourceData/Dockerfile-Initial new file mode 100644 index 00000000000..cc6adfa9780 --- /dev/null +++ b/.pipelines/containerSourceData/Dockerfile-Initial @@ -0,0 +1,19 @@ +ARG RPMS_TO_INSTALL \ +\ +RUN --mount=type=bind,source=./Stage/,target=/dockerStage/ \\\ + RPMS_PATH="/dockerStage/RPMS"; \\\ + LOCAL_REPO_PATH="/localrepo"; \\\ + mkdir -p $LOCAL_REPO_PATH; \\\ + tdnf install -y createrepo; \\\ + cp -r ${RPMS_PATH} ${LOCAL_REPO_PATH}; \\\ + cat /dockerStage/marinerLocalRepo.repo >> /etc/yum.repos.d/local.repo; \\\ + createrepo --database ${LOCAL_REPO_PATH} --workers 10; tdnf makecache \&\& tdnf makecache; \\\ + tdnf autoremove -y createrepo; \\\ + for rpm in "${RPMS_TO_INSTALL[@]}"; do \\\ + echo "RPM: $rpm"; \\\ + tdnf install -y $rpm; \\\ + done; \\\ + tdnf clean all; \\\ + rm -f /etc/yum.repos.d/local.repo; \\\ + rm -rf /var/cache/tdnf; \\\ + rm -rf ${LOCAL_REPO_PATH}; \ No newline at end of file diff --git a/.pipelines/containerSourceData/azurecli/Dockerfile-AzureCLI b/.pipelines/containerSourceData/azurecli/Dockerfile-AzureCLI new file mode 100644 index 00000000000..48754ed2a5c --- /dev/null +++ b/.pipelines/containerSourceData/azurecli/Dockerfile-AzureCLI @@ -0,0 +1,14 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# basic smoke test +RUN az version + +# set default command for the container +CMD ["bash"] diff --git a/.pipelines/containerSourceData/azurecli/azurecli.pkg b/.pipelines/containerSourceData/azurecli/azurecli.pkg new file mode 100644 index 00000000000..1a90f07a0ca --- /dev/null +++ b/.pipelines/containerSourceData/azurecli/azurecli.pkg @@ -0,0 +1 @@ +azure-cli diff --git a/.pipelines/containerSourceData/base/Dockerfile-Base-Nonroot-Template b/.pipelines/containerSourceData/base/Dockerfile-Base-Nonroot-Template new file mode 100644 index 00000000000..1a1987af456 --- /dev/null +++ b/.pipelines/containerSourceData/base/Dockerfile-Base-Nonroot-Template @@ -0,0 +1,32 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE AS BASE + +ARG MARINER_VERSION=2.0 +ARG USERNAME=nonroot +ARG USER_UID=65532 +ARG USER_GID=$USER_UID +ARG SET_USER=$USERNAME + +RUN mkdir -p /staging/etc \ + && tdnf install -y --releasever=$MARINER_VERSION shadow-utils \ + && groupadd --gid $USER_GID $USERNAME \ + && useradd --gid $USER_GID -g $USERNAME $USERNAME -u $USER_UID \ + && tdnf clean all \ + # Copy user/group info to staging + && cp /etc/passwd /staging/etc/passwd \ + && cp /etc/group /staging/etc/group + +FROM $BASE_IMAGE AS FINAL + +ARG USER_UID=65532 +ARG SET_USER=$USER_UID + +COPY --from=BASE /staging/ / + +USER $SET_USER + +CMD [ "bash" ] diff --git a/.pipelines/containerSourceData/base/Dockerfile-Base-Template b/.pipelines/containerSourceData/base/Dockerfile-Base-Template new file mode 100644 index 00000000000..468a29c5261 --- /dev/null +++ b/.pipelines/containerSourceData/base/Dockerfile-Base-Template @@ -0,0 +1,12 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +ARG EULA=@EULA_FILE@ + +COPY $EULA . + +CMD [ "bash" ] diff --git a/.pipelines/containerSourceData/busybox/Dockerfile-Busybox-Template b/.pipelines/containerSourceData/busybox/Dockerfile-Busybox-Template new file mode 100644 index 00000000000..91a14429418 --- /dev/null +++ b/.pipelines/containerSourceData/busybox/Dockerfile-Busybox-Template @@ -0,0 +1,41 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE AS BASE + +ARG MARINER_VERSION=2.0 + +# Install busybox, glibc, and their dependencies into a staging location. +# Staging directory is copied into the final scratch image. +RUN mkdir /staging \ + && tdnf install -y --releasever=$MARINER_VERSION --installroot /staging \ + busybox glibc \ + && tdnf clean all \ + && pushd /staging \ + && rm -rf boot media mnt opt run \ + && rm -rf usr/lib/sysimage \ + && rm -rf var/cache \ + && rm -rf var/lib/rpm; \ + ln -vL /staging/usr/sbin/busybox /staging/bin/; \ + chroot /staging /bin/busybox --install -s /bin + +# Smoke Tests +# Test and make sure it works +RUN chroot /staging /usr/bin/env sh -xec 'true' + +# Ensure correct timezone (UTC) +RUN [ "$(chroot /staging date +%Z)" = 'UTC' ] + +# Test and make sure DNS works too +RUN cp -L /etc/resolv.conf /staging/etc/; \ + chroot /staging /bin/sh -xec 'nslookup microsoft.com'; \ + rm /staging/etc/resolv.conf + +FROM scratch + +# Copy dependencies into the scratch image. +COPY --from=BASE /staging/ . + +CMD [ "sh" ] diff --git a/.pipelines/containerSourceData/cdi/Dockerfile-cdi-apiserver b/.pipelines/containerSourceData/cdi/Dockerfile-cdi-apiserver new file mode 100644 index 00000000000..07f4d9b2851 --- /dev/null +++ b/.pipelines/containerSourceData/cdi/Dockerfile-cdi-apiserver @@ -0,0 +1,23 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +ARG BINARY_NAME +ARG USER + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# workaround till binaries rename is merged +RUN [ -f /usr/bin/virt-cdi-apiserver ] && mv -f /usr/bin/virt-cdi-apiserver /usr/bin/cdi-apiserver + +#simple smoke test +RUN ls /usr/bin/cdi-apiserver + +# If the user specified for this image is not root (0), create a new user in the root (0) group +RUN if [[ $USER != 0 ]]; then adduser -u $USER --gid 0 --create-home -s /bin/bash $BINARY_NAME ; fi +USER $USER + +ENTRYPOINT [ "/usr/bin/cdi-apiserver", "-alsologtostderr" ] diff --git a/.pipelines/containerSourceData/cdi/Dockerfile-cdi-cloner b/.pipelines/containerSourceData/cdi/Dockerfile-cdi-cloner new file mode 100644 index 00000000000..1c1a3f43a2e --- /dev/null +++ b/.pipelines/containerSourceData/cdi/Dockerfile-cdi-cloner @@ -0,0 +1,20 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +ARG BINARY_NAME +ARG USER + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +#simple smoke test +RUN ls /usr/bin/cdi-cloner + +# If the user specified for this image is not root (0), create a new user in the root (0) group +RUN if [[ $USER != 0 ]]; then adduser -u $USER --gid 0 --create-home -s /bin/bash $BINARY_NAME ; fi +USER $USER + +ENTRYPOINT [ "/usr/bin/cloner_startup.sh" ] diff --git a/.pipelines/containerSourceData/cdi/Dockerfile-cdi-controller b/.pipelines/containerSourceData/cdi/Dockerfile-cdi-controller new file mode 100644 index 00000000000..6ef8982d23d --- /dev/null +++ b/.pipelines/containerSourceData/cdi/Dockerfile-cdi-controller @@ -0,0 +1,23 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +ARG BINARY_NAME +ARG USER + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# workaround till binaries rename is merged +RUN [ -f /usr/bin/virt-cdi-controller ] && mv -f /usr/bin/virt-cdi-controller /usr/bin/cdi-controller + +#simple smoke test +RUN ls /usr/bin/cdi-controller + +# If the user specified for this image is not root (0), create a new user in the root (0) group +RUN if [[ $USER != 0 ]]; then adduser -u $USER --gid 0 --create-home -s /bin/bash $BINARY_NAME ; fi +USER $USER + +ENTRYPOINT [ "/usr/bin/cdi-controller", "-alsologtostderr" ] diff --git a/.pipelines/containerSourceData/cdi/Dockerfile-cdi-importer b/.pipelines/containerSourceData/cdi/Dockerfile-cdi-importer new file mode 100644 index 00000000000..1fc4471d5ca --- /dev/null +++ b/.pipelines/containerSourceData/cdi/Dockerfile-cdi-importer @@ -0,0 +1,29 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +ARG BINARY_NAME +ARG USER + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# Workaround till proper binaries are built as part of the cdi rpm & renames are removed +# https://github.com/microsoft/CBL-Mariner/pull/5708/files# +COPY cdi-containerimage-server /usr/bin/cdi-containerimage-server +COPY cdi-image-size-detection /usr/bin/cdi-image-size-detection +COPY cdi-source-update-poller /usr/bin/cdi-source-update-poller + +# workaround till binaries rename is merged +RUN [ -f /usr/bin/virt-cdi-importer ] && mv -f /usr/bin/virt-cdi-importer /usr/bin/cdi-importer + +#simple smoke test +RUN ls /usr/bin/cdi-importer + +# If the user specified for this image is not root (0), create a new user in the root (0) group +RUN if [[ $USER != 0 ]]; then adduser -u $USER --gid 0 --create-home -s /bin/bash $BINARY_NAME ; fi +USER $USER + +ENTRYPOINT [ "/usr/bin/cdi-importer", "-alsologtostderr" ] diff --git a/.pipelines/containerSourceData/cdi/Dockerfile-cdi-operator b/.pipelines/containerSourceData/cdi/Dockerfile-cdi-operator new file mode 100644 index 00000000000..2526bca9479 --- /dev/null +++ b/.pipelines/containerSourceData/cdi/Dockerfile-cdi-operator @@ -0,0 +1,27 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +ARG BINARY_NAME +ARG USER + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# Workaround till proper binaries are built as part of the cdi rpm & renames are removed +# https://github.com/microsoft/CBL-Mariner/pull/5708/files# +COPY csv-generator /usr/bin/csv-generator + +# workaround till binaries rename is merged +RUN [ -f /usr/bin/virt-cdi-operator ] && mv -f /usr/bin/virt-cdi-operator /usr/bin/cdi-operator + +#simple smoke test +RUN ls /usr/bin/cdi-operator + +# If the user specified for this image is not root (0), create a new user in the root (0) group +RUN if [[ $USER != 0 ]]; then adduser -u $USER --gid 0 --create-home -s /bin/bash $BINARY_NAME ; fi +USER $USER + +ENTRYPOINT [ "/usr/bin/cdi-operator" ] diff --git a/.pipelines/containerSourceData/cdi/Dockerfile-cdi-uploadproxy b/.pipelines/containerSourceData/cdi/Dockerfile-cdi-uploadproxy new file mode 100644 index 00000000000..64803ae6483 --- /dev/null +++ b/.pipelines/containerSourceData/cdi/Dockerfile-cdi-uploadproxy @@ -0,0 +1,23 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +ARG BINARY_NAME +ARG USER + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# workaround till binaries rename is merged +RUN [ -f /usr/bin/virt-cdi-uploadproxy ] && mv -f /usr/bin/virt-cdi-uploadproxy /usr/bin/cdi-uploadproxy + +#simple smoke test +RUN ls /usr/bin/cdi-uploadproxy + +# If the user specified for this image is not root (0), create a new user in the root (0) group +RUN if [[ $USER != 0 ]]; then adduser -u $USER --gid 0 --create-home -s /bin/bash $BINARY_NAME ; fi +USER $USER + +ENTRYPOINT [ "/usr/bin/cdi-uploadproxy", "-alsologtostderr" ] diff --git a/.pipelines/containerSourceData/cdi/Dockerfile-cdi-uploadserver b/.pipelines/containerSourceData/cdi/Dockerfile-cdi-uploadserver new file mode 100644 index 00000000000..cfdb28f80e7 --- /dev/null +++ b/.pipelines/containerSourceData/cdi/Dockerfile-cdi-uploadserver @@ -0,0 +1,23 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +ARG BINARY_NAME +ARG USER + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# workaround till binaries rename is merged +RUN [ -f /usr/bin/virt-cdi-uploadserver ] && mv -f /usr/bin/virt-cdi-uploadserver /usr/bin/cdi-uploadserver + +#simple smoke test +RUN ls /usr/bin/cdi-uploadserver + +# If the user specified for this image is not root (0), create a new user in the root (0) group +RUN if [[ $USER != 0 ]]; then adduser -u $USER --gid 0 --create-home -s /bin/bash $BINARY_NAME ; fi +USER $USER + +ENTRYPOINT [ "/usr/bin/cdi-uploadserver", "-alsologtostderr" ] diff --git a/.pipelines/containerSourceData/cdi/api.pkg b/.pipelines/containerSourceData/cdi/api.pkg new file mode 100644 index 00000000000..e01888c8ba1 --- /dev/null +++ b/.pipelines/containerSourceData/cdi/api.pkg @@ -0,0 +1,19 @@ +acl +ca-certificates +containerized-data-importer-api +cpio +curl +diffutils +findutils +jq +nbdkit +nbdkit-curl-plugin +nbdkit-vddk-plugin +nbdkit-xz-filter +patch +qemu-img +qemu-tools +shadow-utils +tar +unzip +util-linux diff --git a/.pipelines/containerSourceData/cdi/cloner.pkg b/.pipelines/containerSourceData/cdi/cloner.pkg new file mode 100644 index 00000000000..4e3bf18c4df --- /dev/null +++ b/.pipelines/containerSourceData/cdi/cloner.pkg @@ -0,0 +1,19 @@ +acl +ca-certificates +containerized-data-importer-cloner +cpio +curl +diffutils +findutils +jq +nbdkit +nbdkit-curl-plugin +nbdkit-vddk-plugin +nbdkit-xz-filter +patch +qemu-img +qemu-tools +shadow-utils +tar +unzip +util-linux diff --git a/.pipelines/containerSourceData/cdi/configuration-files/cdi-containerimage-server b/.pipelines/containerSourceData/cdi/configuration-files/cdi-containerimage-server new file mode 100755 index 00000000000..98a76d5bb51 Binary files /dev/null and b/.pipelines/containerSourceData/cdi/configuration-files/cdi-containerimage-server differ diff --git a/.pipelines/containerSourceData/cdi/configuration-files/cdi-image-size-detection b/.pipelines/containerSourceData/cdi/configuration-files/cdi-image-size-detection new file mode 100755 index 00000000000..9ff14ac9bd3 Binary files /dev/null and b/.pipelines/containerSourceData/cdi/configuration-files/cdi-image-size-detection differ diff --git a/.pipelines/containerSourceData/cdi/configuration-files/cdi-source-update-poller b/.pipelines/containerSourceData/cdi/configuration-files/cdi-source-update-poller new file mode 100755 index 00000000000..b3e80db1d32 Binary files /dev/null and b/.pipelines/containerSourceData/cdi/configuration-files/cdi-source-update-poller differ diff --git a/.pipelines/containerSourceData/cdi/configuration-files/csv-generator b/.pipelines/containerSourceData/cdi/configuration-files/csv-generator new file mode 100755 index 00000000000..34ad036fea0 Binary files /dev/null and b/.pipelines/containerSourceData/cdi/configuration-files/csv-generator differ diff --git a/.pipelines/containerSourceData/cdi/controller.pkg b/.pipelines/containerSourceData/cdi/controller.pkg new file mode 100644 index 00000000000..d7cfee9884f --- /dev/null +++ b/.pipelines/containerSourceData/cdi/controller.pkg @@ -0,0 +1,19 @@ +acl +ca-certificates +containerized-data-importer-controller +cpio +curl +diffutils +findutils +jq +nbdkit +nbdkit-curl-plugin +nbdkit-vddk-plugin +nbdkit-xz-filter +patch +qemu-img +qemu-tools +shadow-utils +tar +unzip +util-linux diff --git a/.pipelines/containerSourceData/cdi/importer.pkg b/.pipelines/containerSourceData/cdi/importer.pkg new file mode 100644 index 00000000000..18ec0adccee --- /dev/null +++ b/.pipelines/containerSourceData/cdi/importer.pkg @@ -0,0 +1,19 @@ +acl +ca-certificates +containerized-data-importer-importer +cpio +curl +diffutils +findutils +jq +nbdkit +nbdkit-curl-plugin +nbdkit-vddk-plugin +nbdkit-xz-filter +patch +qemu-img +qemu-tools +shadow-utils +tar +unzip +util-linux diff --git a/.pipelines/containerSourceData/cdi/operator.pkg b/.pipelines/containerSourceData/cdi/operator.pkg new file mode 100644 index 00000000000..3172da39569 --- /dev/null +++ b/.pipelines/containerSourceData/cdi/operator.pkg @@ -0,0 +1,19 @@ +acl +ca-certificates +containerized-data-importer-operator +cpio +curl +diffutils +findutils +jq +nbdkit +nbdkit-curl-plugin +nbdkit-vddk-plugin +nbdkit-xz-filter +patch +qemu-img +qemu-tools +shadow-utils +tar +unzip +util-linux diff --git a/.pipelines/containerSourceData/cdi/uploadproxy.pkg b/.pipelines/containerSourceData/cdi/uploadproxy.pkg new file mode 100644 index 00000000000..fcc38346bee --- /dev/null +++ b/.pipelines/containerSourceData/cdi/uploadproxy.pkg @@ -0,0 +1,19 @@ +acl +ca-certificates +containerized-data-importer-uploadproxy +cpio +curl +diffutils +findutils +jq +nbdkit +nbdkit-curl-plugin +nbdkit-vddk-plugin +nbdkit-xz-filter +patch +qemu-img +qemu-tools +shadow-utils +tar +unzip +util-linux diff --git a/.pipelines/containerSourceData/cdi/uploadserver.pkg b/.pipelines/containerSourceData/cdi/uploadserver.pkg new file mode 100644 index 00000000000..dcc6df525b1 --- /dev/null +++ b/.pipelines/containerSourceData/cdi/uploadserver.pkg @@ -0,0 +1,19 @@ +acl +ca-certificates +containerized-data-importer-uploadserver +cpio +curl +diffutils +findutils +jq +nbdkit +nbdkit-curl-plugin +nbdkit-vddk-plugin +nbdkit-xz-filter +patch +qemu-img +qemu-tools +shadow-utils +tar +unzip +util-linux diff --git a/.pipelines/containerSourceData/certmanager/Dockerfile-cert-manager b/.pipelines/containerSourceData/certmanager/Dockerfile-cert-manager new file mode 100644 index 00000000000..ee764161f7c --- /dev/null +++ b/.pipelines/containerSourceData/certmanager/Dockerfile-cert-manager @@ -0,0 +1,16 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# set security context +USER 1000 + +# simple smoke test +RUN stat @BINARY_PATH@ + +ENTRYPOINT [ @BINARY_PATH@ ] diff --git a/.pipelines/containerSourceData/certmanager/acmesolver.pkg b/.pipelines/containerSourceData/certmanager/acmesolver.pkg new file mode 100644 index 00000000000..faa66e630c6 --- /dev/null +++ b/.pipelines/containerSourceData/certmanager/acmesolver.pkg @@ -0,0 +1,2 @@ +ca-certificates +cert-manager-acmesolver diff --git a/.pipelines/containerSourceData/certmanager/cainjector.pkg b/.pipelines/containerSourceData/certmanager/cainjector.pkg new file mode 100644 index 00000000000..1fd97ff96c2 --- /dev/null +++ b/.pipelines/containerSourceData/certmanager/cainjector.pkg @@ -0,0 +1,2 @@ +ca-certificates +cert-manager-cainjector diff --git a/.pipelines/containerSourceData/certmanager/cmctl.pkg b/.pipelines/containerSourceData/certmanager/cmctl.pkg new file mode 100644 index 00000000000..d2d8362e7f2 --- /dev/null +++ b/.pipelines/containerSourceData/certmanager/cmctl.pkg @@ -0,0 +1,2 @@ +ca-certificates +cert-manager-cmctl diff --git a/.pipelines/containerSourceData/certmanager/controller.pkg b/.pipelines/containerSourceData/certmanager/controller.pkg new file mode 100644 index 00000000000..1d06d420578 --- /dev/null +++ b/.pipelines/containerSourceData/certmanager/controller.pkg @@ -0,0 +1,2 @@ +ca-certificates +cert-manager-controller diff --git a/.pipelines/containerSourceData/certmanager/webhook.pkg b/.pipelines/containerSourceData/certmanager/webhook.pkg new file mode 100644 index 00000000000..fd3d8332cba --- /dev/null +++ b/.pipelines/containerSourceData/certmanager/webhook.pkg @@ -0,0 +1,2 @@ +ca-certificates +cert-manager-webhook diff --git a/.pipelines/containerSourceData/distroless/Dockerfile-Distroless-Nonroot-Template b/.pipelines/containerSourceData/distroless/Dockerfile-Distroless-Nonroot-Template new file mode 100644 index 00000000000..194ef5fd060 --- /dev/null +++ b/.pipelines/containerSourceData/distroless/Dockerfile-Distroless-Nonroot-Template @@ -0,0 +1,31 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE +ARG FINAL_IMAGE + +FROM $BASE_IMAGE AS BASE + +ARG MARINER_VERSION=2.0 +ARG USERNAME=nonroot +ARG USER_UID=65532 +ARG USER_GID=$USER_UID +ARG SET_USER=$USERNAME + +RUN mkdir -p /staging/etc \ + && tdnf install -y --releasever=$MARINER_VERSION shadow-utils \ + && groupadd --gid $USER_GID $USERNAME \ + && useradd --gid $USER_GID -g $USERNAME $USERNAME -u $USER_UID \ + && tdnf clean all \ + # Copy user/group info to staging + && cp /etc/passwd /staging/etc/passwd \ + && cp /etc/group /staging/etc/group + +FROM $FINAL_IMAGE AS FINAL + +ARG USER_UID=65532 +ARG SET_USER=$USER_UID + +COPY --from=BASE /staging/ / + +USER $SET_USER diff --git a/.pipelines/containerSourceData/distroless/Dockerfile-Distroless-Template b/.pipelines/containerSourceData/distroless/Dockerfile-Distroless-Template new file mode 100644 index 00000000000..283ea7df47d --- /dev/null +++ b/.pipelines/containerSourceData/distroless/Dockerfile-Distroless-Template @@ -0,0 +1,10 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +ARG EULA=@EULA_FILE@ + +COPY $EULA . diff --git a/.pipelines/containerSourceData/influxdb/Dockerfile-Influxdb b/.pipelines/containerSourceData/influxdb/Dockerfile-Influxdb new file mode 100644 index 00000000000..b7295ef4a89 --- /dev/null +++ b/.pipelines/containerSourceData/influxdb/Dockerfile-Influxdb @@ -0,0 +1,42 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +RUN set -eux; \ + mkdir -p /home/influxdb && \ + chown -R influxdb:influxdb /home/influxdb && \ + mkdir -p /var/lib/influxdb && \ + chown -R influxdb:influxdb /var/lib/influxdb + +# Smoke test for influxdb server and CLI. +RUN set -eux && \ + influxd version &&\ + influx version + +# Create standard directories expected by the entry-point. +RUN mkdir /docker-entrypoint-initdb.d && \ + mkdir -p /var/lib/influxdb && \ + chown -R influxdb:influxdb /var/lib/influxdb && \ + mkdir -p /etc/influxdb && \ + chown -R influxdb:influxdb /etc/influxdb + +VOLUME /var/lib/influxdb /etc/influxdb + +COPY config.yml /etc/defaults/influxdb/config.yml +COPY influxdb-docker-entrypoint.sh /usr/local/bin/ + +RUN chmod +x /usr/local/bin/influxdb-docker-entrypoint.sh + +ENTRYPOINT ["/usr/local/bin/influxdb-docker-entrypoint.sh"] +CMD ["influxd"] + +EXPOSE 8086 +ENV INFLUX_CONFIGS_PATH /etc/influxdb/influx-configs +ENV INFLUXD_INIT_PORT 9999 +ENV INFLUXD_INIT_PING_ATTEMPTS 600 +ENV DOCKER_INFLUXDB_INIT_CLI_CONFIG_NAME default \ No newline at end of file diff --git a/.pipelines/containerSourceData/influxdb/configuration-files/config.yml b/.pipelines/containerSourceData/influxdb/configuration-files/config.yml new file mode 100644 index 00000000000..f59c4f92b00 --- /dev/null +++ b/.pipelines/containerSourceData/influxdb/configuration-files/config.yml @@ -0,0 +1,3 @@ +bolt-path: /var/lib/influxdb/influxd.bolt +engine-path: /var/lib/influxdb/engine +nats-port: 4222 \ No newline at end of file diff --git a/.pipelines/containerSourceData/influxdb/configuration-files/influxdb-docker-entrypoint.sh b/.pipelines/containerSourceData/influxdb/configuration-files/influxdb-docker-entrypoint.sh new file mode 100644 index 00000000000..7eab2055e60 --- /dev/null +++ b/.pipelines/containerSourceData/influxdb/configuration-files/influxdb-docker-entrypoint.sh @@ -0,0 +1,410 @@ +#!/bin/bash +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +set -eo pipefail + + +## READ ME +## +## This script handles a few use-cases: +## 1. Running arbitrary shell commands other than `influxd` +## 2. Running subcommands of `influxd` other than `run` +## 3. Running `influxd run` with no auto-setup or auto-upgrade behavior +## 4. Running `influxd` with automated setup of a fresh 2.x DB +## 5. Running `influxd` with automated upgrade from a 1.x DB +## +## Use-cases 4 and 5 both optionally support running user-mounted scripts against the +## initialized DB to perform arbitrary setup logic. +## +## Use-case 1 runs as root (the container's default user). All other use-cases +## run as a non-root user. To support this, the script attempts to handle chown-ing +## the data directories specified in config/env/CLI flags. We do this even for +## use-case 2 so that commands like `influxd inspect` which modify files in the data +## directory don't create files will later be inaccessible to the main `influxd run` +## process. +## +## Use-case 4 requires booting a temporary instance of `influxd` so we can access the +## server's HTTP API. This script handles tracking the PID of that instance and shutting +## it down appropriately. The instance is booted on a port other than what's specified in +## config. We do this so: +## 1. We can ignore any TLS settings in config while performing initial setup calls +## 2. We don't have to worry about users accessing the DB before it's fully initialized +## +## Use-case 5 requires booting a temporary instance only when the user has mounted setup scripts. +## If no scripts are present, we can `upgrade` and then immediately boot the server on the +## user-configured port. + + +# Do our best to match the logging requested by the user running the container. +declare -rA LOG_LEVELS=([error]=0 [warn]=1 [info]=2 [debug]=3) +declare LOG_LEVEL=error + +# Mimic the structured logging used by InfluxDB. +# Usage: log [ ]... +function log () { + local -r level=$1 msg=$2 + shift 2 + + if [ "${LOG_LEVELS[${level}]}" -gt "${LOG_LEVELS[${LOG_LEVEL}]}" ]; then + return + fi + + local attrs='"system": "docker"' + while [ "$#" -gt 1 ]; do + attrs="${attrs}, \"$1\": \"$2\"" + shift 2 + done + + local -r logtime="$(date --utc +'%FT%T.%NZ')" + 1>&2 echo -e "${logtime}\t${level}\t${msg}\t{${attrs}}" +} + +# Set the global log-level for the entry-point to match the config passed to influxd. +function set_global_log_level () { + local level + level="$(influxd print-config --key-name log-level "${@}")" + if [ -z "${level}" ] || [ -z "${LOG_LEVELS[${level}]}" ]; then + return 1 + fi + LOG_LEVEL=${level} +} + +# Look for standard config names in the volume configured in our Dockerfile. +declare -r CONFIG_VOLUME=/etc/influxdb +declare -ra CONFIG_NAMES=(config.json config.toml config.yaml config.yml) + +# Search for a V2 config file, and export its path into the env for influxd to use. +function set_config_path () { + local config_path=/etc/defaults/influxdb/config.yml + + if [ -n "$INFLUXD_CONFIG_PATH" ]; then + config_path="${INFLUXD_CONFIG_PATH}" + else + for name in "${CONFIG_NAMES[@]}"; do + if [ -f "${CONFIG_VOLUME}/${name}" ]; then + config_path="${CONFIG_VOLUME}/${name}" + break + fi + done + fi + + export INFLUXD_CONFIG_PATH="${config_path}" +} + +function set_data_paths () { + BOLT_PATH="$(influxd print-config --key-name bolt-path "${@}")" + ENGINE_PATH="$(influxd print-config --key-name engine-path "${@}")" + export BOLT_PATH ENGINE_PATH +} + +# Ensure all the data directories needed by influxd exist with the right permissions. +function create_directories () { + log info "creating folders with the right permissions" + local -r bolt_dir="$(dirname "${BOLT_PATH}")" + local user + user=$(id -u) + + if [ "$(id -u)" != 0 ]; then + log warn "cannot create folders as non-root" + return + fi + + mkdir -p "${bolt_dir}" "${ENGINE_PATH}" + chmod 700 "${bolt_dir}" "${ENGINE_PATH}" || : + + mkdir -p "${CONFIG_VOLUME}" || : + chmod 775 "${CONFIG_VOLUME}" || : + + if [ ${user} = 0 ]; then + find "${bolt_dir}" \! -user influxdb -exec chown influxdb '{}' + + find "${ENGINE_PATH}" \! -user influxdb -exec chown influxdb '{}' + + find "${CONFIG_VOLUME}" \! -user influxdb -exec chown influxdb '{}' + + fi +} + +# Read password and username from file to avoid unsecure env variables +if [ -n "${DOCKER_INFLUXDB_INIT_PASSWORD_FILE}" ]; then [ -e "${DOCKER_INFLUXDB_INIT_PASSWORD_FILE}" ] && DOCKER_INFLUXDB_INIT_PASSWORD=$(cat "${DOCKER_INFLUXDB_INIT_PASSWORD_FILE}") || echo "DOCKER_INFLUXDB_INIT_PASSWORD_FILE defined, but file not existing, skipping."; fi +if [ -n "${DOCKER_INFLUXDB_INIT_USERNAME_FILE}" ]; then [ -e "${DOCKER_INFLUXDB_INIT_USERNAME_FILE}" ] && DOCKER_INFLUXDB_INIT_USERNAME=$(cat "${DOCKER_INFLUXDB_INIT_USERNAME_FILE}") || echo "DOCKER_INFLUXDB_INIT_USERNAME_FILE defined, but file not existing, skipping."; fi + +# List of env vars required to auto-run setup or upgrade processes. +declare -ra REQUIRED_INIT_VARS=(DOCKER_INFLUXDB_INIT_USERNAME DOCKER_INFLUXDB_INIT_PASSWORD DOCKER_INFLUXDB_INIT_ORG DOCKER_INFLUXDB_INIT_BUCKET) + +# Ensure all env vars required to run influx setup or influxd upgrade are set in the env. +function ensure_init_vars_set () { + local missing_some=0 + for var in "${REQUIRED_INIT_VARS[@]}"; do + if [ -z "${!var}" ]; then + log error "missing parameter, cannot init InfluxDB" parameter ${var} + missing_some=1 + fi + done + if [ ${missing_some} = 1 ]; then + exit 1 + fi +} + +# If exiting on error, delete all bolt and engine files. +# If we didn't do this, the container would see the boltdb file on reboot and assume +# the DB is already full set up. +function cleanup_influxd () { + log warn "cleaning bolt and engine files to prevent conflicts on retry" bolt_path "${BOLT_PATH}" engine_path "${ENGINE_PATH}" + rm -rf "${BOLT_PATH}" "${ENGINE_PATH}/"* +} + +# Upgrade V1 data into the V2 format using influxd upgrade. +# The process will use either a V1 config file or a V1 data dir to drive +# the upgrade, with precedence order: +# 1. Config file pointed to by DOCKER_INFLUXDB_INIT_UPGRADE_V1_CONFIG env var +# 2. Data dir pointed to by DOCKER_INFLUXDB_INIT_UPGRADE_V1_DIR env var +# 3. Config file at /etc/influxdb/influxdb.conf +# 4. Data dir at /var/lib/influxdb +function upgrade_influxd () { + local -a upgrade_args=( + --force + --username "${DOCKER_INFLUXDB_INIT_USERNAME}" + --password "${DOCKER_INFLUXDB_INIT_PASSWORD}" + --org "${DOCKER_INFLUXDB_INIT_ORG}" + --bucket "${DOCKER_INFLUXDB_INIT_BUCKET}" + --v2-config-path "${CONFIG_VOLUME}/config.toml" + --influx-configs-path "${INFLUX_CONFIGS_PATH}" + --continuous-query-export-path "${CONFIG_VOLUME}/v1-cq-export.txt" + --log-path "${CONFIG_VOLUME}/upgrade.log" + --log-level "${LOG_LEVEL}" + --bolt-path "${BOLT_PATH}" + --engine-path "${ENGINE_PATH}" + --overwrite-existing-v2 + ) + if [ -n "${DOCKER_INFLUXDB_INIT_RETENTION}" ]; then + upgrade_args=("${upgrade_args[@]}" --retention "${DOCKER_INFLUXDB_INIT_RETENTION}") + fi + if [ -n "${DOCKER_INFLUXDB_INIT_ADMIN_TOKEN}" ]; then + upgrade_args=("${upgrade_args[@]}" --token "${DOCKER_INFLUXDB_INIT_ADMIN_TOKEN}") + fi + + if [[ -n "${DOCKER_INFLUXDB_INIT_UPGRADE_V1_CONFIG}" && -f "${DOCKER_INFLUXDB_INIT_UPGRADE_V1_CONFIG}" ]]; then + upgrade_args=("${upgrade_args[@]}" --config-file "${DOCKER_INFLUXDB_INIT_UPGRADE_V1_CONFIG}") + elif [[ -n "${DOCKER_INFLUXDB_INIT_UPGRADE_V1_DIR}" && -d "${DOCKER_INFLUXDB_INIT_UPGRADE_V1_DIR}" ]]; then + upgrade_args=("${upgrade_args[@]}" --v1-dir "${DOCKER_INFLUXDB_INIT_UPGRADE_V1_DIR}") + elif [ -f /etc/influxdb/influxdb.conf ]; then + upgrade_args=("${upgrade_args[@]}" --config-file /etc/influxdb/influxdb.conf) + elif [ -d /var/lib/influxdb ]; then + upgrade_args=("${upgrade_args[@]}" --v1-dir /var/lib/influxdb) + else + log error "failed to autodetect usable V1 config or data dir, aborting upgrade" + exit 1 + fi + + influxd upgrade "${upgrade_args[@]}" + + # Reset global influxd config to pick up new file written by the upgrade process. + set_config_path +} + +# Ping influxd until it responds or crashes. +# Used to block execution until the server is ready to process setup requests. +function wait_for_influxd () { + local -r influxd_pid=$1 + local ping_count=0 + while kill -0 "${influxd_pid}" && [ ${ping_count} -lt ${INFLUXD_INIT_PING_ATTEMPTS} ]; do + sleep 1 + log info "pinging influxd..." ping_attempt ${ping_count} + ping_count=$((ping_count+1)) + if influx ping &> /dev/null; then + log info "got response from influxd, proceeding" total_pings ${ping_count} + return + fi + done + if [ ${ping_count} -eq ${INFLUXD_INIT_PING_ATTEMPTS} ]; then + log error "influxd took too long to start up" total_pings ${ping_count} + else + log error "influxd crashed during startup" total_pings ${ping_count} + fi + exit 1 +} + +# Create an initial user/org/bucket in the DB using the influx CLI. +function setup_influxd () { + local -a setup_args=( + --force + --username "${DOCKER_INFLUXDB_INIT_USERNAME}" + --password "${DOCKER_INFLUXDB_INIT_PASSWORD}" + --org "${DOCKER_INFLUXDB_INIT_ORG}" + --bucket "${DOCKER_INFLUXDB_INIT_BUCKET}" + --name "${DOCKER_INFLUXDB_INIT_CLI_CONFIG_NAME}" + ) + if [ -n "${DOCKER_INFLUXDB_INIT_RETENTION}" ]; then + setup_args=("${setup_args[@]}" --retention "${DOCKER_INFLUXDB_INIT_RETENTION}") + fi + if [ -n "${DOCKER_INFLUXDB_INIT_ADMIN_TOKEN}" ]; then + setup_args=("${setup_args[@]}" --token "${DOCKER_INFLUXDB_INIT_ADMIN_TOKEN}") + fi + + influx setup "${setup_args[@]}" +} + +# Get the IDs of the initial user/org/bucket created during setup, and export them into the env. +# We do this to help with arbitrary user scripts, since many influx CLI commands only take IDs. +function set_init_resource_ids () { + DOCKER_INFLUXDB_INIT_USER_ID="$(influx user list -n "${DOCKER_INFLUXDB_INIT_USER}" --hide-headers | cut -f 1)" + DOCKER_INFLUXDB_INIT_ORG_ID="$(influx org list -n "${DOCKER_INFLUXDB_INIT_ORG}" --hide-headers | cut -f 1)" + DOCKER_INFLUXDB_INIT_BUCKET_ID="$(influx bucket list -n "${DOCKER_INFLUXDB_INIT_BUCKET}" --hide-headers | cut -f 1)" + export DOCKER_INFLUXDB_INIT_USER_ID DOCKER_INFLUXDB_INIT_ORG_ID DOCKER_INFLUXDB_INIT_BUCKET_ID +} + +# Allow users to mount arbitrary startup scripts into the container, +# for execution after initial setup/upgrade. +declare -r USER_SCRIPT_DIR=/docker-entrypoint-initdb.d + +# Check if user-defined setup scripts have been mounted into the container. +function user_scripts_present () { + if [ ! -d ${USER_SCRIPT_DIR} ]; then + return 1 + fi + test -n "$(find ${USER_SCRIPT_DIR} -name "*.sh" -type f -executable)" +} + +# Execute all shell files mounted into the expected path for user-defined startup scripts. +function run_user_scripts () { + if [ -d ${USER_SCRIPT_DIR} ]; then + log info "Executing user-provided scripts" script_dir ${USER_SCRIPT_DIR} + run-parts ${USER_SCRIPT_DIR} + fi +} + +# Helper used to propagate signals received during initialization to the influxd +# process running in the background. +function handle_signal () { + kill -${1} ${2} + wait ${2} +} + +# Perform initial setup on the InfluxDB instance, either by setting up fresh metadata +# or by upgrading existing V1 data. +function init_influxd () { + if [[ "${DOCKER_INFLUXDB_INIT_MODE}" != setup && "${DOCKER_INFLUXDB_INIT_MODE}" != upgrade ]]; then + log error "found invalid DOCKER_INFLUXDB_INIT_MODE, valid values are 'setup' and 'upgrade'" DOCKER_INFLUXDB_INIT_MODE "${DOCKER_INFLUXDB_INIT_MODE}" + exit 1 + fi + ensure_init_vars_set + trap "cleanup_influxd" EXIT + + # The upgrade process needs to run before we boot the server, otherwise the + # boltdb file will be generated and cause conflicts. + if [ "${DOCKER_INFLUXDB_INIT_MODE}" = upgrade ]; then + upgrade_influxd + fi + + # Short-circuit if using upgrade mode and user didn't define any custom scripts, + # to save startup time from booting & shutting down the server. + if [ "${DOCKER_INFLUXDB_INIT_MODE}" = upgrade ] && ! user_scripts_present; then + trap - EXIT + return + fi + + local -r final_bind_addr="$(influxd print-config --key-name http-bind-address "${@}")" + local -r init_bind_addr=":${INFLUXD_INIT_PORT}" + if [ "${init_bind_addr}" = "${final_bind_addr}" ]; then + log warn "influxd setup binding to same addr as final config, server will be exposed before ready" addr "${init_bind_addr}" + fi + local final_host_scheme="http" + if [ "$(influxd print-config --key-name tls-cert "${@}")" != '""' ] && [ "$(influxd print-config --key-name tls-key "${@}")" != '""' ]; then + final_host_scheme="https" + fi + + # Generate a config file with a known HTTP port, and TLS disabled. + local -r init_config=/tmp/config.yml + influxd print-config "${@}" | \ + sed -e "s#${final_bind_addr}#${init_bind_addr}#" -e '/^tls/d' > \ + "${init_config}" + + # Start influxd in the background. + log info "booting influxd server in the background" + INFLUXD_CONFIG_PATH="${init_config}" INFLUXD_HTTP_BIND_ADDRESS="${init_bind_addr}" INFLUXD_TLS_CERT='' INFLUXD_TLS_KEY='' influxd & + local -r influxd_init_pid="$!" + trap "handle_signal TERM ${influxd_init_pid}" TERM + trap "handle_signal INT ${influxd_init_pid}" INT + + export INFLUX_HOST="http://localhost:${INFLUXD_INIT_PORT}" + wait_for_influxd "${influxd_init_pid}" + + # Use the influx CLI to create an initial user/org/bucket. + if [ "${DOCKER_INFLUXDB_INIT_MODE}" = setup ]; then + setup_influxd + fi + + set_init_resource_ids + run_user_scripts + + log info "initialization complete, shutting down background influxd" + kill -TERM "${influxd_init_pid}" + wait "${influxd_init_pid}" || true + trap - EXIT INT TERM + + # Rewrite the ClI configs to point at the server's final HTTP address. + local -r final_port="$(echo "${final_bind_addr}" | sed -E 's#[^:]*:(.*)#\1#')" + sed -i "s#http://localhost:${INFLUXD_INIT_PORT}#${final_host_scheme}://localhost:${final_port}#g" "${INFLUX_CONFIGS_PATH}" +} + +# Check if the --help or -h flag is set in a list of CLI args. +function check_help_flag () { + for arg in "${@}"; do + if [ "${arg}" = --help ] || [ "${arg}" = -h ]; then + return 0 + fi + done + return 1 +} + +function main () { + # Ensure INFLUXD_CONFIG_PATH is set. + # We do this even if we're not running the main influxd server so subcommands + # (i.e. print-config) still find the right config values. + set_config_path + + local run_influxd=false + if [[ $# = 0 || "$1" = run || "${1:0:1}" = '-' ]]; then + run_influxd=true + elif [[ "$1" = influxd && ($# = 1 || "$2" = run || "${2:0:1}" = '-') ]]; then + run_influxd=true + shift 1 + fi + + if ! ${run_influxd}; then + exec "${@}" + fi + + if [ "$1" = run ]; then + shift 1 + fi + + if ! check_help_flag "${@}"; then + # Configure logging for our wrapper. + set_global_log_level "${@}" + # Configure data paths used across functions. + set_data_paths "${@}" + # Ensure volume directories exist w/ correct permissions. + create_directories + fi + + if [ -f "${BOLT_PATH}" ]; then + log info "found existing boltdb file, skipping setup wrapper" bolt_path "${BOLT_PATH}" + elif [ -z "${DOCKER_INFLUXDB_INIT_MODE}" ]; then + log warn "boltdb not found at configured path, but DOCKER_INFLUXDB_INIT_MODE not specified, skipping setup wrapper" bolt_path "${bolt_path}" + else + init_influxd "${@}" + # Set correct permission on volume directories again. This is necessary so that if the container was run as the + # root user, the files from the automatic upgrade/initialization will be correctly set when stepping down to the + # influxdb user. + create_directories + fi + + if [ "$(id -u)" = 0 ]; then + exec setpriv --reuid=influxdb --regid=influxdb --init-groups --inh-caps=-all "$BASH_SOURCE" "$@" + fi + + # Run influxd. + exec influxd "$@" +} + +main "$@" \ No newline at end of file diff --git a/.pipelines/containerSourceData/influxdb/influxdb.pkg b/.pipelines/containerSourceData/influxdb/influxdb.pkg new file mode 100644 index 00000000000..d76c08a482f --- /dev/null +++ b/.pipelines/containerSourceData/influxdb/influxdb.pkg @@ -0,0 +1,5 @@ +cronie +influx-cli +influxdb +libflux +util-linux diff --git a/.pipelines/containerSourceData/kubevirt/Dockerfile-kubevirt-virt-api b/.pipelines/containerSourceData/kubevirt/Dockerfile-kubevirt-virt-api new file mode 100644 index 00000000000..fc9994e5def --- /dev/null +++ b/.pipelines/containerSourceData/kubevirt/Dockerfile-kubevirt-virt-api @@ -0,0 +1,16 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +RUN adduser -u 1001 --create-home -s /bin/bash virt-api +USER 1001 + +#simple smoke test +RUN ls /usr/bin/virt-api + +ENTRYPOINT [ "/usr/bin/virt-api" ] diff --git a/.pipelines/containerSourceData/kubevirt/Dockerfile-kubevirt-virt-controller b/.pipelines/containerSourceData/kubevirt/Dockerfile-kubevirt-virt-controller new file mode 100644 index 00000000000..14396c6deba --- /dev/null +++ b/.pipelines/containerSourceData/kubevirt/Dockerfile-kubevirt-virt-controller @@ -0,0 +1,16 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +RUN adduser -u 1001 --create-home -s /bin/bash virt-controller +USER 1001 + +#simple smoke test +RUN ls /usr/bin/virt-controller + +ENTRYPOINT [ "/usr/bin/virt-controller" ] diff --git a/.pipelines/containerSourceData/kubevirt/Dockerfile-kubevirt-virt-handler b/.pipelines/containerSourceData/kubevirt/Dockerfile-kubevirt-virt-handler new file mode 100644 index 00000000000..8442eefc347 --- /dev/null +++ b/.pipelines/containerSourceData/kubevirt/Dockerfile-kubevirt-virt-handler @@ -0,0 +1,13 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +#simple smoke test +RUN ls /usr/bin/virt-handler + +ENTRYPOINT [ "/usr/bin/virt-handler" ] diff --git a/.pipelines/containerSourceData/kubevirt/Dockerfile-kubevirt-virt-launcher b/.pipelines/containerSourceData/kubevirt/Dockerfile-kubevirt-virt-launcher new file mode 100644 index 00000000000..7687627567b --- /dev/null +++ b/.pipelines/containerSourceData/kubevirt/Dockerfile-kubevirt-virt-launcher @@ -0,0 +1,30 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# XXX Once edk2 is moved to SPECS this will not be needed +RUN tdnf -y install mariner-repos-extended.noarch \ + && tdnf -y install edk2-ovmf \ + && tdnf clean all + +# Setup permissions and capabilities for non-root VMIs. KubeVirt sets +# XDG_* directories to /var/run. +RUN cd /var && rm -rf run && ln -s ../run . \ + && chown qemu:qemu /var/run \ + && setcap 'cap_net_bind_service=+ep' /usr/bin/virt-launcher \ + && setcap 'cap_net_bind_service=+ep' /usr/bin/virt-launcher-monitor \ + && chmod 0755 /etc/libvirt + +RUN cp /usr/share/kube-virt/virt-launcher/qemu.conf /etc/libvirt/ +RUN cp /usr/share/kube-virt/virt-launcher/virtqemud.conf /etc/libvirt/ +RUN cp /usr/share/kube-virt/virt-launcher/nsswitch.conf /etc/ + +#simple smoke test +RUN ls /usr/bin/virt-launcher + +ENTRYPOINT [ "/usr/bin/virt-launcher" ] diff --git a/.pipelines/containerSourceData/kubevirt/Dockerfile-kubevirt-virt-operator b/.pipelines/containerSourceData/kubevirt/Dockerfile-kubevirt-virt-operator new file mode 100644 index 00000000000..382ee080ac7 --- /dev/null +++ b/.pipelines/containerSourceData/kubevirt/Dockerfile-kubevirt-virt-operator @@ -0,0 +1,16 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +RUN adduser --system --no-create-home -u 101 virt-operator +USER 101 + +#simple smoke test +RUN ls /usr/bin/virt-operator + +ENTRYPOINT [ "/usr/bin/virt-operator" ] diff --git a/.pipelines/containerSourceData/kubevirt/virt-api.pkg b/.pipelines/containerSourceData/kubevirt/virt-api.pkg new file mode 100644 index 00000000000..c8110b01ee2 --- /dev/null +++ b/.pipelines/containerSourceData/kubevirt/virt-api.pkg @@ -0,0 +1,3 @@ +ca-certificates +kubevirt-virt-api +shadow-utils diff --git a/.pipelines/containerSourceData/kubevirt/virt-controller.pkg b/.pipelines/containerSourceData/kubevirt/virt-controller.pkg new file mode 100644 index 00000000000..0b28bb3acc9 --- /dev/null +++ b/.pipelines/containerSourceData/kubevirt/virt-controller.pkg @@ -0,0 +1,3 @@ +ca-certificates +kubevirt-virt-controller +shadow-utils diff --git a/.pipelines/containerSourceData/kubevirt/virt-handler.pkg b/.pipelines/containerSourceData/kubevirt/virt-handler.pkg new file mode 100644 index 00000000000..4215b6092e3 --- /dev/null +++ b/.pipelines/containerSourceData/kubevirt/virt-handler.pkg @@ -0,0 +1,14 @@ +ca-certificates +curl +dbus +iproute +iptables +kubevirt-container-disk +kubevirt-virt-handler +lsscsi +nftables +procps +qemu-tools +qemu-user +tar +util-linux diff --git a/.pipelines/containerSourceData/kubevirt/virt-launcher.pkg b/.pipelines/containerSourceData/kubevirt/virt-launcher.pkg new file mode 100644 index 00000000000..d6cfdfdef22 --- /dev/null +++ b/.pipelines/containerSourceData/kubevirt/virt-launcher.pkg @@ -0,0 +1,16 @@ +augeas +ca-certificates +iptables +kubevirt-container-disk +kubevirt-virt-launcher +libcap +libvirt-client +libvirt-daemon-driver-qemu +nftables +procps +qemu-device-usb-redirect +qemu-system-x86 +qemu-tools +socat +tar +xorriso diff --git a/.pipelines/containerSourceData/kubevirt/virt-operator.pkg b/.pipelines/containerSourceData/kubevirt/virt-operator.pkg new file mode 100644 index 00000000000..4b01d518344 --- /dev/null +++ b/.pipelines/containerSourceData/kubevirt/virt-operator.pkg @@ -0,0 +1,3 @@ +ca-certificates +kubevirt-virt-operator +shadow-utils diff --git a/.pipelines/containerSourceData/marinerLocalRepo.repo b/.pipelines/containerSourceData/marinerLocalRepo.repo new file mode 100644 index 00000000000..a74ef1b23e6 --- /dev/null +++ b/.pipelines/containerSourceData/marinerLocalRepo.repo @@ -0,0 +1,6 @@ +[mariner-local] +name=Mariner Local Repo +baseurl=file:///localrepo +enabled=1 +gpgcheck=0 +skip_if_unavailable=True diff --git a/.pipelines/containerSourceData/memcached/Dockerfile-Memcached b/.pipelines/containerSourceData/memcached/Dockerfile-Memcached new file mode 100644 index 00000000000..26a0f496a7a --- /dev/null +++ b/.pipelines/containerSourceData/memcached/Dockerfile-Memcached @@ -0,0 +1,20 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +RUN useradd memcache + +USER memcache + +EXPOSE 11211 + +# basic smoke test +RUN memcached -h + +# set default command for the container +CMD ["memcached"] diff --git a/.pipelines/containerSourceData/memcached/memcached.pkg b/.pipelines/containerSourceData/memcached/memcached.pkg new file mode 100644 index 00000000000..51b7e42eb61 --- /dev/null +++ b/.pipelines/containerSourceData/memcached/memcached.pkg @@ -0,0 +1 @@ +memcached diff --git a/.pipelines/containerSourceData/multus/Dockerfile-Multus b/.pipelines/containerSourceData/multus/Dockerfile-Multus new file mode 100644 index 00000000000..1f379ffaddb --- /dev/null +++ b/.pipelines/containerSourceData/multus/Dockerfile-Multus @@ -0,0 +1,17 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +RUN ln -s /usr/bin/python3 /usr/bin/python + +RUN mkdir -p /usr/src/multus-cni/bin \ + && cp /usr/bin/multus /usr/src/multus-cni/bin/ \ + && cp /usr/bin/install_multus /install_multus \ + && cp /usr/bin/thin_entrypoint /thin_entrypoint + +ENTRYPOINT [ "/thin_entrypoint" ] diff --git a/.pipelines/containerSourceData/multus/multus.pkg b/.pipelines/containerSourceData/multus/multus.pkg new file mode 100644 index 00000000000..7d8ae231bba --- /dev/null +++ b/.pipelines/containerSourceData/multus/multus.pkg @@ -0,0 +1,4 @@ +awk +ca-certificates +multus +python3 diff --git a/.pipelines/containerSourceData/nginx/Dockerfile-Nginx b/.pipelines/containerSourceData/nginx/Dockerfile-Nginx new file mode 100644 index 00000000000..9f1444a1449 --- /dev/null +++ b/.pipelines/containerSourceData/nginx/Dockerfile-Nginx @@ -0,0 +1,21 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# basic smoke test +RUN nginx -V + +COPY nginx.conf /etc/nginx/nginx.conf +COPY default.conf /etc/nginx/nginx.conf.default + +EXPOSE 80 + +STOPSIGNAL SIGQUIT + +# set default command for the container +CMD ["nginx", "-g", "daemon off;"] diff --git a/.pipelines/containerSourceData/nginx/configuration-files/default.conf b/.pipelines/containerSourceData/nginx/configuration-files/default.conf new file mode 100644 index 00000000000..ff2ced691d5 --- /dev/null +++ b/.pipelines/containerSourceData/nginx/configuration-files/default.conf @@ -0,0 +1,44 @@ +server { + listen 80; + server_name localhost; + + #access_log /var/log/nginx/host.access.log main; + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} + diff --git a/.pipelines/containerSourceData/nginx/configuration-files/nginx.conf b/.pipelines/containerSourceData/nginx/configuration-files/nginx.conf new file mode 100644 index 00000000000..52526a4f327 --- /dev/null +++ b/.pipelines/containerSourceData/nginx/configuration-files/nginx.conf @@ -0,0 +1,32 @@ + +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/nginx.conf.default; +} diff --git a/.pipelines/containerSourceData/nginx/nginx.pkg b/.pipelines/containerSourceData/nginx/nginx.pkg new file mode 100644 index 00000000000..682e184a18e --- /dev/null +++ b/.pipelines/containerSourceData/nginx/nginx.pkg @@ -0,0 +1,4 @@ +ca-certificates +nginx +nginx-filesystem +nginx-mimetypes diff --git a/.pipelines/containerSourceData/nodejs/Dockerfile-Nodejs b/.pipelines/containerSourceData/nodejs/Dockerfile-Nodejs new file mode 100644 index 00000000000..e352d2b03e4 --- /dev/null +++ b/.pipelines/containerSourceData/nodejs/Dockerfile-Nodejs @@ -0,0 +1,15 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# basic smoke test +RUN node --version; \ + npm --version + +# set default command for the container +CMD ["node"] diff --git a/.pipelines/containerSourceData/nodejs/nodejs.pkg b/.pipelines/containerSourceData/nodejs/nodejs.pkg new file mode 100644 index 00000000000..54515b67eee --- /dev/null +++ b/.pipelines/containerSourceData/nodejs/nodejs.pkg @@ -0,0 +1,2 @@ +ca-certificates +nodejs diff --git a/.pipelines/containerSourceData/nodejs/nodejs18.pkg b/.pipelines/containerSourceData/nodejs/nodejs18.pkg new file mode 100644 index 00000000000..e4c2ea2a619 --- /dev/null +++ b/.pipelines/containerSourceData/nodejs/nodejs18.pkg @@ -0,0 +1,2 @@ +ca-certificates +nodejs18 diff --git a/.pipelines/containerSourceData/openmpi/Dockerfile-Openmpi b/.pipelines/containerSourceData/openmpi/Dockerfile-Openmpi new file mode 100644 index 00000000000..046a39f0179 --- /dev/null +++ b/.pipelines/containerSourceData/openmpi/Dockerfile-Openmpi @@ -0,0 +1,22 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +#copy modulefiles and source module +RUN modulefile_openmpi=$(find /usr/share/modulefiles/ -name "openmpi-*" | head -n 1) && \ + cp $modulefile_openmpi /usr/share/modulefiles/mpi/openmpi && \ + mkdir -p /usr/share/modulefiles/openmpi/ && \ + cp /usr/share/modulefiles/mpi/openmpi /usr/share/modulefiles/openmpi/gcc && \ + cat /etc/profile.d/modules.sh >> /etc/bash.bashrc + +# basic smoke test +RUN source /etc/profile.d/modules.sh && \ + module load mpi/openmpi && \ + mpiexec --version + +CMD ["bash"] diff --git a/.pipelines/containerSourceData/openmpi/openmpi.pkg b/.pipelines/containerSourceData/openmpi/openmpi.pkg new file mode 100644 index 00000000000..f3793cd037d --- /dev/null +++ b/.pipelines/containerSourceData/openmpi/openmpi.pkg @@ -0,0 +1,2 @@ +openmpi +openmpi-devel diff --git a/.pipelines/containerSourceData/php/Dockerfile-PHP b/.pipelines/containerSourceData/php/Dockerfile-PHP new file mode 100644 index 00000000000..0ccb799f130 --- /dev/null +++ b/.pipelines/containerSourceData/php/Dockerfile-PHP @@ -0,0 +1,14 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# basic smoke test +RUN php --version + +# set default command for the container +CMD ["php", "-a"] diff --git a/.pipelines/containerSourceData/php/php.pkg b/.pipelines/containerSourceData/php/php.pkg new file mode 100644 index 00000000000..e369cc1f604 --- /dev/null +++ b/.pipelines/containerSourceData/php/php.pkg @@ -0,0 +1,8 @@ +autoconf +build-essential +ca-certificates +php +php-pear +php-pecl-zip +pkg-config +unzip diff --git a/.pipelines/containerSourceData/postgres/Dockerfile-Postgres b/.pipelines/containerSourceData/postgres/Dockerfile-Postgres new file mode 100644 index 00000000000..b7c850a89e2 --- /dev/null +++ b/.pipelines/containerSourceData/postgres/Dockerfile-Postgres @@ -0,0 +1,65 @@ +# Copyright (c) 2014, Docker PostgreSQL Authors (See AUTHORS) + +# Permission is hereby granted, free of charge, to any person +# obtaining a copy of this software and associated documentation +# files (the "Software"), to deal in the Software without +# restriction, including without limitation the rights to use, +# copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the +# Software is furnished to do so, subject to the following +# conditions: + +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. + +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES +# OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +# OTHER DEALINGS IN THE SOFTWARE. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +RUN set -eux; \ + groupadd -r postgres --gid=999; \ + useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \ + mkdir -p /var/lib/postgresql; \ + chown -R postgres:postgres /var/lib/postgresql + +# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default +RUN set -eux; \ + localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8 +ENV LANG en_US.utf8 + +RUN mkdir /docker-entrypoint-initdb.d + +ENV PG_MAJOR 14 +ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin + +# basic smoke test +RUN postgres --version + +RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql + +ENV PGDATA /var/lib/postgresql/data +# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" +VOLUME /var/lib/postgresql/data + +COPY postgres-docker-entrypoint.sh /usr/local/bin/ + +ENTRYPOINT ["/usr/local/bin/postgres-docker-entrypoint.sh"] + +STOPSIGNAL SIGINT + +EXPOSE 5432 + +# set default command for the container +CMD ["postgres"] diff --git a/.pipelines/containerSourceData/postgres/configuration-files/postgres-docker-entrypoint.sh b/.pipelines/containerSourceData/postgres/configuration-files/postgres-docker-entrypoint.sh new file mode 100755 index 00000000000..6923cb35ce2 --- /dev/null +++ b/.pipelines/containerSourceData/postgres/configuration-files/postgres-docker-entrypoint.sh @@ -0,0 +1,376 @@ +#!/bin/bash + +# Copyright (c) 2014, Docker PostgreSQL Authors (See AUTHORS) + +# Permission is hereby granted, free of charge, to any person +# obtaining a copy of this software and associated documentation +# files (the "Software"), to deal in the Software without +# restriction, including without limitation the rights to use, +# copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the +# Software is furnished to do so, subject to the following +# conditions: + +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. + +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES +# OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +# OTHER DEALINGS IN THE SOFTWARE. + +set -Eeo pipefail + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user; user="$(id -u)" + + mkdir -p "$PGDATA" + + # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) + chmod 700 "$PGDATA" || : + + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 775 /var/run/postgresql || : + + # Create the transaction log directory before initdb is run so the directory is owned by the correct user + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + mkdir -p "$POSTGRES_INITDB_WALDIR" + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + + fi + chmod 700 "$POSTGRES_INITDB_WALDIR" + fi + + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} + +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + echo "Inside docker init database dir" + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + local uid; uid="$(id -u)" + echo "$(getent passwd $uid)" + if ! getent passwd "$uid" &> /dev/null; then + # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) + local wrapper + for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do + if [ -s "$wrapper" ]; then + NSS_WRAPPER_PASSWD="$(mktemp)" + NSS_WRAPPER_GROUP="$(mktemp)" + export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + local gid; gid="$(id -g)" + echo "postgres:x:$uid:$gid:PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$gid:" > "$NSS_WRAPPER_GROUP" + break + fi + done + fi + + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" + fi + + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' + + # unset/cleanup "nss_wrapper" bits + if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} + +# print large warning if POSTGRES_PASSWORD is long +# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' +# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' +# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] +docker_verify_minimum_env() { + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' + + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + + This will not work if used via PGPASSWORD with "psql". + + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 + + EOWARN + fi + if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOE' + Error: Database is uninitialized and superuser password is not specified. + You must specify POSTGRES_PASSWORD to a non-empty value for the + superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". + + You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all + connections without a password. This is *not* recommended. + + See PostgreSQL documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + EOE + exit 1 + fi + if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then + cat >&2 <<-'EOWARN' + ******************************************************************************** + WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow + anyone with access to the Postgres port to access your database without + a password, even if POSTGRES_PASSWORD is set. See PostgreSQL + documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + In Docker's default configuration, this is effectively any other + container on the same system. + + It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace + it with "-e POSTGRES_PASSWORD=password" instead to set a password in + "docker run". + ******************************************************************************** + EOWARN + fi +} + +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatibility "${psql[@]}" + psql=( docker_process_sql ) + + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + echo "$0: running $f" + "$f" + else + echo "$0: sourcing $f" + . "$f" + fi + ;; + *.sql) echo "$0: running $f"; docker_process_sql -f "$f"; echo ;; + *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *.sql.xz) echo "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;; + *.sql.zst) echo "$0: running $f"; zstd -dc "$f" | docker_process_sql; echo ;; + *) echo "$0: ignoring $f" ;; + esac + echo + done +} + +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift + fi + + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes + set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "$(printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +# check arguments for an option that would cause postgres to stop +# return true if there is one +_pg_want_help() { + local arg + for arg; do + case "$arg" in + # postgres --help | grep 'then exit' + # leaving out -C on purpose since it always fails and is unhelpful: + # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory + -'?'|--help|--describe-config|-V|--version) + return 0 + ;; + esac + done + return 1 +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then + echo "User: $(id -u)" + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + setpriv --reuid=postgres --regid=postgres --init-groups --inh-caps=-all "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + echo + echo 'PostgreSQL init process complete; ready for start up.' + echo + else + echo + echo 'PostgreSQL Database directory appears to contain a database; Skipping initialization' + echo + fi + + sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /var/lib/postgresql/data/postgresql.conf; \ + grep -F "listen_addresses = '*'" /var/lib/postgresql/data/postgresql.conf + fi + + exec "$@" +} + +if ! _is_sourced; then + _main "$@" +fi diff --git a/.pipelines/containerSourceData/postgres/postgres.pkg b/.pipelines/containerSourceData/postgres/postgres.pkg new file mode 100644 index 00000000000..9af3fbf5b5f --- /dev/null +++ b/.pipelines/containerSourceData/postgres/postgres.pkg @@ -0,0 +1,9 @@ +glibc-i18n +gnupg2 +gzip +postgresql +postgresql-libs +shadow-utils +util-linux +xz +zstd diff --git a/.pipelines/containerSourceData/prometheus/Dockerfile-Prometheus b/.pipelines/containerSourceData/prometheus/Dockerfile-Prometheus new file mode 100644 index 00000000000..95b26bf3b5b --- /dev/null +++ b/.pipelines/containerSourceData/prometheus/Dockerfile-Prometheus @@ -0,0 +1,14 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# basic smoke test +RUN prometheus --version + +# set default command for the container +CMD ["prometheus", "--config.file=/etc/prometheus/prometheus.yml"] diff --git a/.pipelines/containerSourceData/prometheus/prometheus.pkg b/.pipelines/containerSourceData/prometheus/prometheus.pkg new file mode 100644 index 00000000000..9822b6eab65 --- /dev/null +++ b/.pipelines/containerSourceData/prometheus/prometheus.pkg @@ -0,0 +1,2 @@ +ca-certificates +prometheus diff --git a/.pipelines/containerSourceData/prometheusadapter/Dockerfile-Prometheus-Adapter b/.pipelines/containerSourceData/prometheusadapter/Dockerfile-Prometheus-Adapter new file mode 100644 index 00000000000..f684a78565d --- /dev/null +++ b/.pipelines/containerSourceData/prometheusadapter/Dockerfile-Prometheus-Adapter @@ -0,0 +1,14 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# basic smoke test +RUN adapter 2>temp.txt; grep "successfully using in-cluster auth" temp.txt; rm temp.txt + +# set default command for the container +ENTRYPOINT [ "adapter" ] \ No newline at end of file diff --git a/.pipelines/containerSourceData/prometheusadapter/prometheusadapter.pkg b/.pipelines/containerSourceData/prometheusadapter/prometheusadapter.pkg new file mode 100644 index 00000000000..aef6dc50c48 --- /dev/null +++ b/.pipelines/containerSourceData/prometheusadapter/prometheusadapter.pkg @@ -0,0 +1 @@ +prometheus-adapter diff --git a/.pipelines/containerSourceData/python/Dockerfile-Python b/.pipelines/containerSourceData/python/Dockerfile-Python new file mode 100644 index 00000000000..01414ba278e --- /dev/null +++ b/.pipelines/containerSourceData/python/Dockerfile-Python @@ -0,0 +1,14 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# basic smoke test +RUN python3 --version + +# set default command for the container +CMD ["python3"] diff --git a/.pipelines/containerSourceData/python/python.pkg b/.pipelines/containerSourceData/python/python.pkg new file mode 100644 index 00000000000..abd0a367a5c --- /dev/null +++ b/.pipelines/containerSourceData/python/python.pkg @@ -0,0 +1,5 @@ +python3 +python3-libs +python3-pip +python3-setuptools +python3-wheel diff --git a/.pipelines/containerSourceData/pytorch/Dockerfile-Pytorch b/.pipelines/containerSourceData/pytorch/Dockerfile-Pytorch new file mode 100644 index 00000000000..f4043d945b9 --- /dev/null +++ b/.pipelines/containerSourceData/pytorch/Dockerfile-Pytorch @@ -0,0 +1,24 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +WORKDIR /app + +RUN tdnf install -y mariner-repos-debug && tdnf clean all + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +RUN ln -s /usr/bin/python3 /usr/bin/python + +# basic smoke test +RUN python -c "import torch; print(torch.__version__)" + +COPY pytorch-docker-entrypoint.sh /usr/local/bin/ +RUN chmod +x /usr/local/bin/pytorch-docker-entrypoint.sh +ENTRYPOINT ["/usr/local/bin/pytorch-docker-entrypoint.sh"] + +# set default command for the container +CMD [ "python" ] diff --git a/.pipelines/containerSourceData/pytorch/configuration-files/pytorch-docker-entrypoint.sh b/.pipelines/containerSourceData/pytorch/configuration-files/pytorch-docker-entrypoint.sh new file mode 100644 index 00000000000..d521e6e138a --- /dev/null +++ b/.pipelines/containerSourceData/pytorch/configuration-files/pytorch-docker-entrypoint.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +_main() { + { + source /etc/profile.d/conda.sh; + conda create -y -n pytorch + conda activate pytorch; + } >> /dev/null + "$@" +} + +_main "$@" diff --git a/.pipelines/containerSourceData/pytorch/pytorch.pkg b/.pipelines/containerSourceData/pytorch/pytorch.pkg new file mode 100644 index 00000000000..43f2fe053f5 --- /dev/null +++ b/.pipelines/containerSourceData/pytorch/pytorch.pkg @@ -0,0 +1,36 @@ +build-essential +bzip2-devel +ca-certificates +cmake +conda +e2fsprogs +gdbm-devel +gnupg2 +libffi-devel +make +ncurses-devel +nginx +nss-devel +openssl-devel +python3 +python3-PyYAML +python3-devel +python3-filelock +python3-hypothesis +python3-jinja2 +python3-libs +python3-numpy +python3-pip +python3-pytorch +python3-setuptools +python3-typing-extensions +python3-wheel +readline-devel +setools-python3 +sqlite-devel +systemd +tar +valgrind +wget +xz-devel +zlib-devel diff --git a/.pipelines/containerSourceData/rabbitmqserver/Dockerfile-rabbitmq-server b/.pipelines/containerSourceData/rabbitmqserver/Dockerfile-rabbitmq-server new file mode 100644 index 00000000000..71343cf61f9 --- /dev/null +++ b/.pipelines/containerSourceData/rabbitmqserver/Dockerfile-rabbitmq-server @@ -0,0 +1,75 @@ +# Copyright (c) 2014 Docker, Inc. + +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: + +# The above copyright notice and this permission notice shall be included +# in all copies or substantial portions of the Software. + +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# setup rabbitmq user +ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq + +RUN set -eux; \ + erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'; \ + groupadd -r rabbitmq --gid=999; \ + useradd --uid=999 -r --home-dir="$RABBITMQ_DATA_DIR" -g rabbitmq rabbitmq; \ + mkdir -p "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \ + chown -fR rabbitmq:rabbitmq "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \ + chmod 1777 "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq + +# set LANG Variables for elixir +ENV LANG=en_US.UTF-8 LANGUAGE=en_US.UTF-8 LC_ALL=en_US.UTF-8 + +# put commands inside of directories on the path +RUN set -eux; \ + ln -s /usr/lib/rabbitmq/lib/rabbitmq_server-3.11.11/sbin/rabbitmqctl /usr/sbin/rabbitmqctl; \ + ln -s /usr/lib/rabbitmq/lib/rabbitmq_server-3.11.11/sbin/rabbitmq-server /usr/sbin/rabbitmq-server; \ + ln -s /usr/lib/rabbitmq/lib/rabbitmq_server-3.11.11/sbin/rabbitmq-plugins /usr/sbin/rabbitmq-plugins; \ + ln -s /usr/lib/rabbitmq/lib/rabbitmq_server-3.11.11/sbin/rabbitmq-diagnostics /usr/sbin/rabbitmq-diagnostics; \ + ln -s /usr/lib/rabbitmq/lib/rabbitmq_server-3.11.11/sbin/rabbitmq-defaults /usr/sbin/rabbitmq-defaults; \ + ln -s /usr/lib/rabbitmq/lib/rabbitmq_server-3.11.11/sbin/rabbitmq-env /usr/sbin/rabbitmq-env + +# run basic smoke test as rabbitmq user +RUN set -eux; \ + # runuser is used in place of a heavier program like gosu, and setpriv cannot be used as the HOME and ENV variables are required by rabbitmq + runuser -u rabbitmq -- rabbitmqctl help; \ + runuser -u rabbitmq -- rabbitmqctl list_ciphers; \ + runuser -u rabbitmq -- rabbitmq-plugins list + +# enable Prometheus-style metrics by default (https://github.com/docker-library/rabbitmq/issues/419) +RUN runuser -u rabbitmq -- rabbitmq-plugins enable --offline rabbitmq_prometheus + +# set home so that any `--user` knows where to put the erlang cookie +ENV HOME $RABBITMQ_DATA_DIR + +# hint that the data (a.k.a. home dir) dir should be separate volume +VOLUME $RABBITMQ_DATA_DIR + +COPY rabbitmq-server-docker-entrypoint.sh /usr/local/bin/ +RUN chmod +x /usr/local/bin/rabbitmq-server-docker-entrypoint.sh +ENTRYPOINT ["/usr/local/bin/rabbitmq-server-docker-entrypoint.sh"] + +# expose default rabbitmq ports +EXPOSE 4369 5671 5672 15691 15692 25672 + +# set default command for the container +CMD ["rabbitmq-server"] diff --git a/.pipelines/containerSourceData/rabbitmqserver/configuration-files/rabbitmq-server-docker-entrypoint.sh b/.pipelines/containerSourceData/rabbitmqserver/configuration-files/rabbitmq-server-docker-entrypoint.sh new file mode 100644 index 00000000000..4012adebe53 --- /dev/null +++ b/.pipelines/containerSourceData/rabbitmqserver/configuration-files/rabbitmq-server-docker-entrypoint.sh @@ -0,0 +1,73 @@ +#!/bin/bash +# Copyright (c) 2014 Docker, Inc. + +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: + +# The above copyright notice and this permission notice shall be included +# in all copies or substantial portions of the Software. + +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +set -euo pipefail + +# allow the container to be started with `--user` +if [[ "$1" == rabbitmq* ]] && [ "$(id -u)" = '0' ]; then + if [ "$1" = 'rabbitmq-server' ]; then + find /var/lib/rabbitmq \! -user rabbitmq -exec chown rabbitmq '{}' + + fi + + setpriv --reuid=rabbitmq --regid=rabbitmq --init-groups --inh-caps=-all "$BASH_SOURCE" "$@" +fi + +deprecatedEnvVars=( + RABBITMQ_DEFAULT_PASS_FILE + RABBITMQ_DEFAULT_USER_FILE + RABBITMQ_MANAGEMENT_SSL_CACERTFILE + RABBITMQ_MANAGEMENT_SSL_CERTFILE + RABBITMQ_MANAGEMENT_SSL_DEPTH + RABBITMQ_MANAGEMENT_SSL_FAIL_IF_NO_PEER_CERT + RABBITMQ_MANAGEMENT_SSL_KEYFILE + RABBITMQ_MANAGEMENT_SSL_VERIFY + RABBITMQ_SSL_CACERTFILE + RABBITMQ_SSL_CERTFILE + RABBITMQ_SSL_DEPTH + RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT + RABBITMQ_SSL_KEYFILE + RABBITMQ_SSL_VERIFY + RABBITMQ_VM_MEMORY_HIGH_WATERMARK +) + +hasOldEnv= +for old in "${deprecatedEnvVars[@]}"; do + if [ -n "${!old:-}" ]; then + echo >&2 "error: $old is set but deprecated" + hasOldEnv=1 + fi +done + +if [ -n "$hasOldEnv" ]; then + echo >&2 'error: deprecated environment variables detected' + echo >&2 + echo >&2 'Please use a configuration file instead; visit https://www.rabbitmq.com/configure.html to learn more' + echo >&2 + exit 1 +fi + +# if long and short hostnames are not the same, use long hostnames +if [ -z "${RABBITMQ_USE_LONGNAME:-}" ] && [ "$(hostname)" != "$(hostname -s)" ]; then + : "${RABBITMQ_USE_LONGNAME:=true}" +fi + +exec "$@" diff --git a/.pipelines/containerSourceData/rabbitmqserver/rabbitmqserver.pkg b/.pipelines/containerSourceData/rabbitmqserver/rabbitmqserver.pkg new file mode 100644 index 00000000000..65aa0293318 --- /dev/null +++ b/.pipelines/containerSourceData/rabbitmqserver/rabbitmqserver.pkg @@ -0,0 +1,4 @@ +rabbitmq-server +shadow-utils +util-linux +hostname diff --git a/.pipelines/containerSourceData/redis/Dockerfile-Redis b/.pipelines/containerSourceData/redis/Dockerfile-Redis new file mode 100644 index 00000000000..3eb05a96a2e --- /dev/null +++ b/.pipelines/containerSourceData/redis/Dockerfile-Redis @@ -0,0 +1,26 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +RUN set -eux && \ + redis-cli --version && \ + redis-server --version && \ + mkdir /data && \ + chown redis:redis /data + +VOLUME /data +WORKDIR /data + +COPY redis-docker-entrypoint.sh /usr/local/bin/ + +RUN chmod +x /usr/local/bin/redis-docker-entrypoint.sh + +ENTRYPOINT ["/usr/local/bin/redis-docker-entrypoint.sh"] + +EXPOSE 6379 +CMD ["redis-server"] \ No newline at end of file diff --git a/.pipelines/containerSourceData/redis/configuration-files/redis-docker-entrypoint.sh b/.pipelines/containerSourceData/redis/configuration-files/redis-docker-entrypoint.sh new file mode 100755 index 00000000000..95cad2d9212 --- /dev/null +++ b/.pipelines/containerSourceData/redis/configuration-files/redis-docker-entrypoint.sh @@ -0,0 +1,26 @@ +#!/bin/bash +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +set -e + +# first arg is `-f` or `--some-option` +# or first arg is `something.conf` +if [ "${1#-}" != "$1" ] || [ "${1%.conf}" != "$1" ]; then + set -- redis-server "$@" +fi + +# allow the container to be started with `--user` +if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then + find . \! -user redis -exec chown redis '{}' + + exec setpriv --reuid=redis --regid=redis --init-groups --inh-caps=-all "$BASH_SOURCE" "$@" +fi + +# set an appropriate umask (if one isn't set already) +# - https://github.com/docker-library/redis/issues/305 +# - https://github.com/redis/redis/blob/bb875603fb7ff3f9d19aad906bd45d7db98d9a39/utils/systemd-redis_server.service#L37 +um="$(umask)" +if [ "$um" = '0022' ]; then + umask 0077 +fi + +exec "$@" \ No newline at end of file diff --git a/.pipelines/containerSourceData/redis/redis.pkg b/.pipelines/containerSourceData/redis/redis.pkg new file mode 100644 index 00000000000..ea9d5e25c33 --- /dev/null +++ b/.pipelines/containerSourceData/redis/redis.pkg @@ -0,0 +1,3 @@ +redis +cronie +util-linux diff --git a/.pipelines/containerSourceData/ruby/Dockerfile-Ruby b/.pipelines/containerSourceData/ruby/Dockerfile-Ruby new file mode 100644 index 00000000000..f8e2e2a6aa7 --- /dev/null +++ b/.pipelines/containerSourceData/ruby/Dockerfile-Ruby @@ -0,0 +1,34 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# Updating gems available +RUN gem update --system + +# Skip installing gem documentation +RUN set -eux; \ + mkdir -p /usr/local/etc; \ + { \ + echo 'install: --no-document'; \ + echo 'update: --no-document'; \ + } >> /usr/local/etc/gemrc + +# Set env variables +ENV LANG C.UTF-8 +ENV GEM_HOME=/usr/local/bundle +ENV BUNDLE_SILENCE_ROOT_WARNING=1 \ + BUNDLE_APP_CONFIG="$GEM_HOME" +ENV PATH $GEM_HOME/bin:$PATH + +RUN mkdir -p "$GEM_HOME" && chmod 777 "$GEM_HOME" + +# basic smoke test +RUN ruby --version && bundle --version && gem --version + +# set default command for the container +CMD ["irb"] diff --git a/.pipelines/containerSourceData/ruby/ruby.pkg b/.pipelines/containerSourceData/ruby/ruby.pkg new file mode 100644 index 00000000000..090181ccc45 --- /dev/null +++ b/.pipelines/containerSourceData/ruby/ruby.pkg @@ -0,0 +1,15 @@ +binutils +ca-certificates +gcc +glibc-devel +gmp-devel +kernel-headers +libffi-devel +libyaml-devel +make +ncurses +procps +ruby +rubygem-rake +sqlite-devel +tzdata diff --git a/.pipelines/containerSourceData/rust/Dockerfile-Rust b/.pipelines/containerSourceData/rust/Dockerfile-Rust new file mode 100644 index 00000000000..edac5a4ba02 --- /dev/null +++ b/.pipelines/containerSourceData/rust/Dockerfile-Rust @@ -0,0 +1,18 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +ENV CARGO_HOME=/usr/local/cargo \ + PATH=/usr/local/cargo/bin:$PATH + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# basic smoke test +RUN cargo --version; \ + rustc --version; + +# set default command for the container +CMD ["bash"] diff --git a/.pipelines/containerSourceData/rust/rust.pkg b/.pipelines/containerSourceData/rust/rust.pkg new file mode 100644 index 00000000000..cba533f53d3 --- /dev/null +++ b/.pipelines/containerSourceData/rust/rust.pkg @@ -0,0 +1,3 @@ +build-essential +ca-certificates +rust diff --git a/.pipelines/containerSourceData/scripts/BuildBaseContainers.sh b/.pipelines/containerSourceData/scripts/BuildBaseContainers.sh new file mode 100755 index 00000000000..13cc2a3f234 --- /dev/null +++ b/.pipelines/containerSourceData/scripts/BuildBaseContainers.sh @@ -0,0 +1,428 @@ +#!/bin/bash +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +set -e + +if [[ $(uname -p) == "x86_64" ]]; then + ARCHITECTURE="amd64" +else + ARCHITECTURE="arm64" +fi + +PUBLISHING_LEVEL="development" +BRANCH_NAME="main" + +# parse script parameters: +# -m -> folder containing artifacts of CBL-Mariner +# -n -> name of the container registry +# -o -> folder where to put artifacts to be published +# -b -> branch name +# -p -> publishing level +# -x -> container source dir from cbl-mariner +while getopts ":m:n:o:b:p:x:" OPTIONS; do + case ${OPTIONS} in + m ) MARINER_ARTIFACTS_FOLDER=$OPTARG;; + n ) CONTAINER_REGISTRY_NAME=$OPTARG + CONTAINER_REGISTRY_NAME_FULL="$CONTAINER_REGISTRY_NAME.azurecr.io";; + o ) OUTPUT_FOLDER=$OPTARG;; + b ) BRANCH_NAME=$OPTARG;; + p ) PUBLISHING_LEVEL=$OPTARG;; + x ) CONTAINER_SRC_DIR=$OPTARG;; + + \? ) + echo "Error - Invalid Option: -$OPTARG" 1>&2 + exit 1 + ;; + : ) + echo "Error - Invalid Option: -$OPTARG requires an argument" 1>&2 + exit 1 + ;; + esac +done + +echo "- MARINER_ARTIFACTS_FOLDER -> $MARINER_ARTIFACTS_FOLDER" +echo "- CONTAINER_REGISTRY_NAME -> $CONTAINER_REGISTRY_NAME" +echo "- CONTAINER_REGISTRY_NAME_FULL -> $CONTAINER_REGISTRY_NAME_FULL" +echo "- ARCHITECTURE -> $ARCHITECTURE" +echo "- BRANCH_NAME -> $BRANCH_NAME" +echo "- PUBLISHING_LEVEL -> $PUBLISHING_LEVEL" +echo "- OUTPUT_FOLDER -> $OUTPUT_FOLDER" + +ROOT_FOLDER="$(git rev-parse --show-toplevel)" + +BASE_IMAGE_TARBALL=$(find "$MARINER_ARTIFACTS_FOLDER" -name "core-[0-9.]*.tar.gz") +if [[ ! -f $BASE_IMAGE_TARBALL ]]; then + echo "Error - No base image tarball in $MARINER_ARTIFACTS_FOLDER" + exit 1 +fi + +DISTROLESS_IMAGE_TARBALL=$(find "$MARINER_ARTIFACTS_FOLDER" -name "distroless-base-[0-9.]*.tar.gz") +DISTROLESS_DEBUG_IMAGE_TARBALL=$(find "$MARINER_ARTIFACTS_FOLDER" -name "distroless-debug-[0-9.]*.tar.gz") +DISTROLESS_MINIMAL_IMAGE_TARBALL=$(find "$MARINER_ARTIFACTS_FOLDER" -name "distroless-minimal-[0-9.]*.tar.gz") +if [[ (! -f $DISTROLESS_IMAGE_TARBALL) || \ + (! -f $DISTROLESS_DEBUG_IMAGE_TARBALL) || \ + (! -f $DISTROLESS_MINIMAL_IMAGE_TARBALL) ]]; then + echo "Error - Missing some distroless image tarball(s) in $MARINER_ARTIFACTS_FOLDER" + exit 1 +fi + + +echo "+++ create temp folder" +TEMPDIR=$(mktemp -d) + +function cleanup { + echo "+++ remove $TEMPDIR" + rm -rf "$TEMPDIR" +} +trap cleanup EXIT + +readonly BASE="base" +readonly DISTROLESS="distroless" +readonly BUSYBOX="busybox" + +# Use this global variable to store the most recently built base image. +LAST_BASE_IMAGE="" + +# Use this global variable to store the most recently built distroless image. +LAST_DISTROLESS_IMAGE="" + +# Use this global variable to store full container tag from base container image. +# This variable is set in the create_base_image function. +FULL_CONTAINER_TAG="" + +# these variables are used to create text files listing golden image names. +readonly file_name_prefix='PublishedContainers' +readonly file_ext='.txt' + +function get_container_info { + local container_file + local file_name + local prefix + local registryPrefix # (e.g.: public/cbl-mariner for container that go to MCR) + local temp_name + local repo_name + local __name + local __tag + + # $1: container tarball file name + # $2: name [out param] + # $3: tag [out param] + # $4: acr repo + # $5: prefix [optional, must be the last param] + container_file=$1 + __name=$2 + __tag=$3 + repo_name=$4 + if [[ -n $5 ]]; then + prefix=$5 + fi + + # remove path and extension + file_name=$(basename "$container_file") + file_name=${file_name%.tar.gz} + # Mariner 2.0 preview hack (remove "-Preview-" and following char(s) from name) + file_name=$(echo $file_name | sed "s/-Preview-.*//") + + # get container name and tag + oldifs=$IFS + IFS='#' + read -ra name_parts <<< "$(echo "$file_name" | sed -r 's/-([^-]*)$/#\1/')" + IFS=$oldifs + temp_name=${name_parts[0]} + temp_name=${temp_name//-/\/} + + # build full container name (all base containers are under 'base' in config file) + getRegistryPrefix 'base' $PUBLISHING_LEVEL $BRANCH_NAME registryPrefix + if [[ -n $registryPrefix ]]; then + repo_name=$repo_name/$registryPrefix + fi + if [[ -n $prefix ]]; then + eval "$__name"="$repo_name/$prefix/$temp_name" + else + eval "$__name"="$repo_name/$temp_name" + fi + eval "$__tag"="${name_parts[1]}-$ARCHITECTURE" +} + +function create_base_image { + local container_name_prefix=$1 + local container_type=$2 + local container_tarball=$3 + local dockerfile=$4 + local container_name + local container_tag + + get_container_info "$container_tarball" container_name container_tag "$CONTAINER_REGISTRY_NAME_FULL" "$container_name_prefix" + + local full_container_name + full_container_name="$container_name:$container_tag" + + # FULL_CONTAINER_TAG is used to tag the marinara builder image. + FULL_CONTAINER_TAG="$container_tag" + + if [[ $container_type == "$BASE" ]]; then + LAST_BASE_IMAGE=$full_container_name + elif [[ $container_type == "$DISTROLESS" ]]; then + LAST_DISTROLESS_IMAGE=$full_container_name + fi + + echo + echo "container_name_prefix: -> $container_name_prefix" + echo "container_type: -> $container_type" + echo "container_tarball: -> $container_tarball" + echo "LAST_BASE_IMAGE: -> $LAST_BASE_IMAGE" + echo "LAST_DISTROLESS_IMAGE: -> $LAST_DISTROLESS_IMAGE" + echo "full_container_name: -> $full_container_name" + echo "dockerfile -> $dockerfile" + echo + + echo "----------------------------------------------------------------------" + echo "+++ create container $full_container_name" + echo " from $(basename "$container_tarball")" + echo + + cat "$container_tarball" | docker import - "$full_container_name" + + echo "$full_container_name" >> "$TEMPDIR/$file_name_prefix-$container_type$file_ext" + echo "----------------------------------------------------------------------" + + local containerBuildDir="$TEMPDIR/ContainerBuildDir" + mkdir -p "$containerBuildDir" + + cp "$ROOT_FOLDER/pipelines/publish-containers/common/data/EULA-Container.txt" "$containerBuildDir"/ + cp "$CONTAINER_SRC_DIR/$container_type/$dockerfile" "$containerBuildDir/Dockerfile" + + pushd "$containerBuildDir" > /dev/null + + # Build image + docker build . \ + --build-arg EULA="EULA-Container.txt" \ + --build-arg BASE_IMAGE="$full_container_name" \ + -t "$full_container_name" \ + --no-cache \ + --progress=plain + + popd > /dev/null + + # Clean up temp folder + sudo rm -rf "$containerBuildDir" +} + +function create_base_nonroot_image { + local mariner_version + local mariner_build_arch + + local base_container_full_name="$LAST_BASE_IMAGE" + local base_container_name=${base_container_full_name%:*} + local base_container_tag=${base_container_full_name#*:} + mariner_version=$(awk -F '.' '{print $1"."$2}' <<< "$base_container_tag") # 2.0.20220426-amd64 -> 2.0 + + mariner_build_arch=$(awk -F '.' '{print $3}' <<< "$base_container_tag") # 2.0.20220426-amd64 -> 20220426-amd64 + local full_new_tag=$mariner_version-nonroot.$mariner_build_arch # 2.0-nonroot.20220426-amd64 + local full_container_name="$base_container_name:$full_new_tag" + local dockerfile="Dockerfile-Base-Nonroot-Template" + + echo + echo "base_container_full_name: -> $base_container_full_name" + echo "base_container_name: -> $base_container_name" + echo "base_container_tag: -> $base_container_tag" + echo "mariner_version: -> $mariner_version" + echo "full_container_name: -> $full_container_name" + echo "dockerfile -> $dockerfile" + echo + + echo "----------------------------------------------------------------------" + echo "+++ create container $full_container_name" + echo " from $base_container_full_name" + echo + + echo "$full_container_name" >> "$TEMPDIR/$file_name_prefix-$BASE$file_ext" + echo "----------------------------------------------------------------------" + + local containerBuildDir="$TEMPDIR/ContainerBuildDir" + mkdir -p "$containerBuildDir" + + cp "$CONTAINER_SRC_DIR/base/$dockerfile" "$containerBuildDir/Dockerfile" + + pushd "$containerBuildDir" > /dev/null + + # Build image + docker build . \ + --build-arg BASE_IMAGE="$base_container_full_name" \ + --build-arg MARINER_VERSION="$mariner_version" \ + -t "$full_container_name" \ + --no-cache \ + --progress=plain + + popd > /dev/null + + # Clean up temp folder + sudo rm -rf "$containerBuildDir" +} + +function create_busybox_image { + local mariner_version + local registryPrefix # (e.g.: public/cbl-mariner for container that go to MCR) + + mariner_version=$(awk -F '.' '{print $1"."$2}' <<< "$FULL_CONTAINER_TAG") # 2.0.20220426-amd64 -> 2.0 + + # Get registry prefix for busybox container. Use the same registry destination as the base container. + getRegistryPrefix 'base' $PUBLISHING_LEVEL $BRANCH_NAME registryPrefix + + if [[ -n $registryPrefix ]]; then + full_busybox_container_name="$CONTAINER_REGISTRY_NAME_FULL/$registryPrefix/$BUSYBOX:$FULL_CONTAINER_TAG" + else + full_busybox_container_name="$CONTAINER_REGISTRY_NAME_FULL/$BUSYBOX:$FULL_CONTAINER_TAG" + fi + + echo "----------------------------------------------------------------------" + echo "+++ create container $full_busybox_container_name" + echo + echo "$full_busybox_container_name" >> "$TEMPDIR/$file_name_prefix-$BUSYBOX$file_ext" + echo "----------------------------------------------------------------------" + + local containerBuildDir="$TEMPDIR/ContainerBuildDir" + mkdir -p "$containerBuildDir" + + cp "$CONTAINER_SRC_DIR/busybox/Dockerfile-Busybox-Template" "$containerBuildDir/Dockerfile" + + pushd "$containerBuildDir" > /dev/null + + docker build . \ + --build-arg BASE_IMAGE="$LAST_BASE_IMAGE" \ + --build-arg MARINER_VERSION="$mariner_version" \ + -t "$full_busybox_container_name" \ + --no-cache \ + --progress=plain + + popd > /dev/null + + # Clean up temp folder + sudo rm -rf "$containerBuildDir" +} + +function create_marinara_image { + local mariner_version + local registryPrefix # (e.g.: public/cbl-mariner for container that go to MCR) + + mariner_version=$(awk -F '.' '{print $1"."$2}' <<< "$FULL_CONTAINER_TAG") # 2.0.20220426-amd64 -> 2.0 + marinara="marinara" + + # get registry prefix for marinara container (note that marinara is under 'base' in config file) + getRegistryPrefix 'base' $PUBLISHING_LEVEL $BRANCH_NAME registryPrefix + if [[ -n $registryPrefix ]]; then + full_marinara_container_name="$CONTAINER_REGISTRY_NAME_FULL/$registryPrefix/$marinara:$FULL_CONTAINER_TAG" + else + full_marinara_container_name="$CONTAINER_REGISTRY_NAME_FULL/$marinara:$FULL_CONTAINER_TAG" + fi + + marinaraSrcDir="$TEMPDIR/$marinara-src" + git clone "https://github.com/microsoft/$marinara.git" "$marinaraSrcDir" + pushd "$marinaraSrcDir" + + echo "----------------------------------------------------------------------" + echo "+++ create container $full_marinara_container_name" + echo + echo "$full_marinara_container_name" >> "$TEMPDIR/$file_name_prefix-$marinara$file_ext" + echo "----------------------------------------------------------------------" + + # Update dockerfile-marinara to use the current base container + sed -E "s|^FROM mcr\..*installer$|FROM $LAST_BASE_IMAGE as installer|g" -i "dockerfile-$marinara" + + docker build . \ + -t "$full_marinara_container_name" \ + -f dockerfile-$marinara \ + --no-cache \ + --progress=plain + + popd > /dev/null + echo "+++ remove $marinaraSrcDir" + sudo rm -rf "$marinaraSrcDir" +} + +function create_distroless_nonroot_image { + local mariner_version + local mariner_build_arch + + local base_container_full_name="$LAST_BASE_IMAGE" + local distroless_container_full_name="$LAST_DISTROLESS_IMAGE" + local distroless_container_name=${distroless_container_full_name%:*} + local distroless_container_tag=${distroless_container_full_name#*:} + mariner_version=$(awk -F '.' '{print $1"."$2}' <<< "$distroless_container_tag") # 2.0.20220426-amd64 -> 2.0 + + mariner_build_arch=$(awk -F '.' '{print $3}' <<< "$distroless_container_tag") # 2.0.20220426-amd64 -> 20220426-amd64 + local full_new_tag=$mariner_version-nonroot.$mariner_build_arch # 2.0-nonroot.20220426-amd64 + local full_container_name="$distroless_container_name:$full_new_tag" + local dockerfile="Dockerfile-Distroless-Nonroot-Template" + + echo + echo "base_container_full_name: -> $base_container_full_name" + echo "distroless_container_full_name: -> $distroless_container_full_name" + echo "distroless_container_name: -> $distroless_container_name" + echo "distroless_container_tag: -> $distroless_container_tag" + echo "mariner_version: -> $mariner_version" + echo "full_container_name: -> $full_container_name" + echo "dockerfile -> $dockerfile" + echo + + echo "----------------------------------------------------------------------" + echo "+++ create container $full_container_name" + echo " from $distroless_container_full_name" + echo + + echo "$full_container_name" >> "$TEMPDIR/$file_name_prefix-$DISTROLESS$file_ext" + echo "----------------------------------------------------------------------" + + local containerBuildDir="$TEMPDIR/ContainerBuildDir" + mkdir -p "$containerBuildDir" + + cp "$CONTAINER_SRC_DIR/distroless/$dockerfile" "$containerBuildDir/Dockerfile" + + pushd "$containerBuildDir" > /dev/null + + # Build image + docker build . \ + --build-arg BASE_IMAGE="$base_container_full_name" \ + --build-arg FINAL_IMAGE="$distroless_container_full_name" \ + --build-arg MARINER_VERSION="$mariner_version" \ + -t "$full_container_name" \ + --no-cache \ + --progress=plain + + popd > /dev/null + + # Clean up temp folder + sudo rm -rf "$containerBuildDir" +} + +function start_building_containers { + echo + echo "=====================================================================" + echo "Create Base and Distroless Mariner Containers" + echo "=====================================================================" + echo + + create_base_image $BASE $BASE "$BASE_IMAGE_TARBALL" "Dockerfile-Base-Template" + create_base_nonroot_image + + create_busybox_image + create_marinara_image + + create_base_image "" $DISTROLESS "$DISTROLESS_IMAGE_TARBALL" "Dockerfile-Distroless-Template" + create_distroless_nonroot_image + + create_base_image "" $DISTROLESS "$DISTROLESS_DEBUG_IMAGE_TARBALL" "Dockerfile-Distroless-Template" + create_distroless_nonroot_image + + create_base_image "" $DISTROLESS "$DISTROLESS_MINIMAL_IMAGE_TARBALL" "Dockerfile-Distroless-Template" + create_distroless_nonroot_image +} + +# source the CommonFunctions script to get the following function: +# - save_container_list +# - getRegistryPrefix +source $CONTAINER_SRC_DIR/scripts/CommonFunctions.sh + +start_building_containers +save_container_list diff --git a/.pipelines/containerSourceData/scripts/BuildCdiContainers.sh b/.pipelines/containerSourceData/scripts/BuildCdiContainers.sh new file mode 100755 index 00000000000..66cc834497a --- /dev/null +++ b/.pipelines/containerSourceData/scripts/BuildCdiContainers.sh @@ -0,0 +1,207 @@ +#!/bin/bash +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +function create_cdi_container_image_base { + local componentName + local baseContainerName + local baseContainerTag + local initialDockerfile + local containerBuildDir + local binaryPath + local containerUser + local packagesToInstall + + # $1: sub-component name + # $2: container type + # $3: base container name + # $4: base container tag + # $5: packages to install + # $6: initial Dockerfile + # $7: binary path + # $8: container user + componentName=$1 + containerType=$2 + baseContainerName=$3 + baseContainerTag=$4 + packagesToInstall=$5 + initialDockerfile=$6 + binaryPath=$7 + containerUser=$8 + + echo "------ Display Arguments ------" + echo "Component Name: -> $componentName" + echo "Container Type: -> $containerType" + echo "Base Container Name: -> $baseContainerName" + echo "Base Container Tag: -> $baseContainerTag" + echo "Packages to Install: -> $packagesToInstall" + echo "Initial Dockerfile: -> $initialDockerfile" + echo "Binary Path: -> $binaryPath" + echo "Container User: -> $containerUser" + + # compose the container name. E.g. for branch-main this will look like + # cblmarinermain.azurecr.io/kubevirt/cdi-apiserver:1.51.0-1-cm2.0.20220811-amd64 + # cblmarinermain.azurecr.io -> repo + # kubevirt -> CDI_FOLDER_PREFIX + # cdi-apiserver -> $containerType (sub component) + # 1.51.0-1-cm2.0.20220811-amd64 -> version for cdi v1.51.0 rpms with base version details + + local originalContainerName="$CONTAINER_REGISTRY_NAME_FULL/base/$CDI_FOLDER_PREFIX/$containerType" + + echo + echo "----------------------------------------------------------------------" + echo "+++ create container $originalContainerName" + + containerBuildDir="$TEMPDIR/ContainerBuildDir" + hostMountedDir="$TEMPDIR/ContainerBuildDir/Stage" + newDockerStorageLocation="$TEMPDIR/storage" + + mkdir -p "$containerBuildDir" + mkdir -p "$hostMountedDir" + mkdir -p "$newDockerStorageLocation" + + # Copy files into docker context directory + tar -xf "$MARINER_RPMS_TARBALL" -C "$hostMountedDir"/ + cp "$CONTAINER_SRC_DIR/marinerLocalRepo.repo" "$hostMountedDir"/ + cp "$CONTAINER_SRC_DIR/Dockerfile-Initial" "$containerBuildDir/Dockerfile-Initial" + cp $initialDockerfile $containerBuildDir/Dockerfile + + # Workaround till proper binaries are built as part of the cdi rpm & renames are removed + # https://github.com/microsoft/CBL-Mariner/pull/5708/files# + cp "$CONTAINER_SRC_DIR/$CDI_BASE_COMPONENT/configuration-files"/* "$containerBuildDir" + pushd $containerBuildDir > /dev/null + + # set Dockerfile + echo "+++ Updating Dockerfile" + mainRunInstruction=$(cat Dockerfile-Initial) + sed -E "s|@INCLUDE_MAIN_RUN_INSTRUCTION@|$mainRunInstruction|g" -i Dockerfile + + SetDockerDefaultStorageLocation "$newDockerStorageLocation" + + # Build image + docker buildx build \ + --build-arg BASE_IMAGE="$baseContainerName/core:$baseContainerTag" \ + --build-arg RPMS_TO_INSTALL="$packagesToInstall" \ + --build-arg BINARY_NAME="$(basename $binaryPath)" \ + --build-arg USER="$containerUser" \ + -t "$originalContainerName" --no-cache --progress=plain . + + # Get the installed package's version + echo "+++ Get version of the installed package in the container" + local containerId=$(docker run --entrypoint /bin/bash -dt "$originalContainerName") + local installedPackage=$(docker exec "$containerId" rpm -qa | grep ^"$componentName") # nodejs-16.16.0-1.cm2.x86_64 + echo "Full Installed Package: -> $installedPackage" + local componentVersion=$(echo "$installedPackage" | awk '{n=split($0,a,"-")};{split(a[n],b,".")}; {print a[n-1]"-"b[1]}') # 16.16.0-1 + echo "Component Version -> $componentVersion" + docker rm -f "$containerId" + + # Rename the image to include package version + local containerName="$originalContainerName:$componentVersion.$baseContainerTag" + local baseRegistryPrefix="" + local goldenRegistryPrefix="" + getRegistryPrefix 'base' $PUBLISHING_LEVEL $BRANCH_NAME baseRegistryPrefix + getRegistryPrefix $GOLDEN_CONTAINER_IMAGE $PUBLISHING_LEVEL $BRANCH_NAME goldenRegistryPrefix + if [[ -n $goldenRegistryPrefix ]]; then + if [[ -n $baseRegistryPrefix && \ + $containerName == *"$baseRegistryPrefix"* ]]; then + # replace base container registry prefix by golden container registry prefix + echo "replace $baseRegistryPrefix with $goldenRegistryPrefix in $containerName" + containerName=${containerName/"$baseRegistryPrefix"/"$goldenRegistryPrefix"} + else + # add golden container registry prefix + echo "add $goldenRegistryPrefix prefix to $containerName" + containerName=${containerName/"$CONTAINER_REGISTRY_NAME_FULL"/"$CONTAINER_REGISTRY_NAME_FULL/$goldenRegistryPrefix"} + fi + fi + + docker image tag "$originalContainerName" "$containerName" + docker rmi -f "$originalContainerName" + echo "Container Name: -> $containerName" + + local containerNameSanitized=$(echo "$containerName" | tr '/' '-' | tr ':' '_') + publish_container "$containerName" + + # Call generate_container_sbom function to generate SBOM + generate_container_sbom \ + "$componentName" \ + "$baseContainerName" \ + "$baseContainerTag" \ + "$containerName" \ + "$componentVersion" \ + "$containerNameSanitized" + + local containerTypeNoDash=${containerType//-/} # Removes dash from containerType. Ex: azure-cli -> azurecli + echo "$containerName" >> $TEMPDIR/$file_name_prefix-$containerTypeNoDash$file_ext + + ResetDockerDefaultStorageLocation "$newDockerStorageLocation" + + # Clean up docker storage folder + sudo rm -rf "$newDockerStorageLocation" + + + # clean up temp folder + popd > /dev/null + sudo rm -rf $containerBuildDir + + echo "----------------------------------------------------------------------" +} + +# Create containers for cdi-apiserver, cdi-cloner, cdi-controller, cdi-importer, +# cdi-operator, cdi-uploadproxy, cdi-uploadserver for CDI_BASE_COMPONENT +function create_cdi_subcomp_containers { + declare -A cdi_container_components + declare -A cdi_binary_path + declare -A cdi_container_user + + local sub_components + local CDI_PACKAGE_BASE="containerized-data-importer" + + sub_components=('api' 'cloner' 'controller' 'importer' 'operator' 'uploadproxy' 'uploadserver') + + # populate the cdi container names + for comp in ${sub_components[@]} + do + cdi_container_components[$comp]=$comp + + # replace 'api with 'apiserver' + [ "$comp" = "api" ] && cdi_container_components[$comp]='apiserver' + + cdi_binary_path[$comp]="/usr/bin/cdi-${cdi_container_components[$comp]}" + + # Setting the active user in the container based on upstream images + # By default set the user to be a non-root user (who is in the root group) + cdi_container_user[$comp]=1001 + done + + mkdir -p $OUTPUT_FOLDER/CONTAINER_LISTS_FOLDER + + for comp in ${sub_components[@]} + do + # To build for specific versions - include it here with the name + dependency_component=$CDI_PACKAGE_BASE-$comp + echo "+++ CDI component name for $comp set at ${cdi_container_components[$comp]}" + cdi_comp=$CDI_BASE_COMPONENT-${cdi_container_components[$comp]} + + local pkgsFileName="$comp.pkg" + local packagesToInstall=() + getPkgsFromFile $CDI_BASE_COMPONENT $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + + echo "+++ CDI binary path for $comp ==> ${cdi_binary_path[$comp]}" + echo "+++ create container based on $base_container_name:$base_container_tag for $dependency_component" + create_cdi_container_image_base \ + "$dependency_component" \ + "$cdi_comp" \ + "$base_container_name"\ + "$base_container_tag" \ + "$packages" \ + "$CONTAINER_SRC_DIR/$CDI_BASE_COMPONENT/Dockerfile-$cdi_comp" \ + ${cdi_binary_path[$comp]} \ + ${cdi_container_user[$comp]} + + # Save text files generated in TEMPDIR + echo "+++ publish container list into pipeline artifacts" + cp $TEMPDIR/$file_name_prefix-*$file_ext $OUTPUT_FOLDER/CONTAINER_LISTS_FOLDER + + done +} diff --git a/.pipelines/containerSourceData/scripts/BuildCertManagerContainers.sh b/.pipelines/containerSourceData/scripts/BuildCertManagerContainers.sh new file mode 100755 index 00000000000..df650ab4d79 --- /dev/null +++ b/.pipelines/containerSourceData/scripts/BuildCertManagerContainers.sh @@ -0,0 +1,155 @@ +#!/bin/bash +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +function create_cert_manager_container_image_base { + local componentName + local baseContainerName + local baseContainerTag + local originalContainerName + local initialDockerfile + local binaryPath + local packagesToInstall + + # $1: component name + # $2: container name + # $3: container tag + # $4: packages to install + # $5: initial Dockerfile + # $6: the path of the binary file to use as the container entrypoint + componentName=$1 + baseContainerName=$2 + baseContainerTag=$3 + packagesToInstall=$4 + initialDockerfile=$5 + binaryPath=$6 + + originalContainerName="$CONTAINER_REGISTRY_NAME_FULL/base/$componentName" + + echo + echo "----------------------------------------------------------------------" + echo "+++ create container $originalContainerName" + + local containerBuildDir="$TEMPDIR/ContainerBuildDir" + hostMountedDir="$TEMPDIR/ContainerBuildDir/Stage" + newDockerStorageLocation="$TEMPDIR/storage" + + mkdir -p "$containerBuildDir" + mkdir -p "$hostMountedDir" + mkdir -p "$newDockerStorageLocation" + + # Copy files into docker context directory + tar -xf "$MARINER_RPMS_TARBALL" -C "$hostMountedDir"/ + cp "$CONTAINER_SRC_DIR/marinerLocalRepo.repo" "$hostMountedDir"/ + cp "$CONTAINER_SRC_DIR/Dockerfile-Initial" "$containerBuildDir/Dockerfile-Initial" + cp $initialDockerfile $containerBuildDir/Dockerfile + + pushd $containerBuildDir > /dev/null + + # set Dockerfile + echo "+++ Updating Dockerfile" + mainRunInstruction=$(cat Dockerfile-Initial) + sed -E "s|@INCLUDE_MAIN_RUN_INSTRUCTION@|$mainRunInstruction|g" -i Dockerfile + sed -i -E "s|@BINARY_PATH@|\"$binaryPath\"|" "$containerBuildDir/Dockerfile" + SetDockerDefaultStorageLocation "$newDockerStorageLocation" + + # Build image + docker buildx build \ + --build-arg BASE_IMAGE="$baseContainerName/core:$baseContainerTag" \ + --build-arg RPMS_TO_INSTALL="$packagesToInstall" \ + -t "$originalContainerName" --no-cache --progress=plain . + + # Get the installed package's version + echo "+++ Get version of the installed package in the container" + + local containerId=$(docker run --entrypoint /bin/bash -dt "$originalContainerName") + local installedPackage=$(docker exec "$containerId" rpm -qa | grep ^"$componentName") # nodejs-16.16.0-1.cm2.x86_64 + echo "Full Installed Package: -> $installedPackage" + local componentVersion=$(echo "$installedPackage" | awk '{n=split($0,a,"-")};{split(a[n],b,".")}; {print a[n-1]"-"b[1]}') # 16.16.0-1 + echo "Component Version -> $componentVersion" + docker rm -f "$containerId" + + # Rename the image to include package version + local containerName="$originalContainerName:$componentVersion.$baseContainerTag" + # replace base container registry prefix by golden container registry prefix (if any) + local baseRegistryPrefix="" + local goldenRegistryPrefix="" + getRegistryPrefix 'base' $PUBLISHING_LEVEL $BRANCH_NAME baseRegistryPrefix + getRegistryPrefix $GOLDEN_CONTAINER_IMAGE $PUBLISHING_LEVEL $BRANCH_NAME goldenRegistryPrefix + if [[ -n $goldenRegistryPrefix ]]; then + if [[ -n $baseRegistryPrefix && \ + $containerName == *"$baseRegistryPrefix"* ]]; then + # replace base container registry prefix by golden container registry prefix + echo "replace $baseRegistryPrefix with $goldenRegistryPrefix in $containerName" + containerName=${containerName/"$baseRegistryPrefix"/"$goldenRegistryPrefix"} + else + # add golden container registry prefix + echo "add $goldenRegistryPrefix prefix to $containerName" + containerName=${containerName/"$CONTAINER_REGISTRY_NAME_FULL"/"$CONTAINER_REGISTRY_NAME_FULL/$goldenRegistryPrefix"} + fi + fi + + docker image tag "$originalContainerName" "$containerName" + docker rmi -f "$originalContainerName" + echo "Container Name: -> $containerName" + + local containerNameSanitized=$(echo "$containerName" | tr '/' '-' | tr ':' '_') + + publish_container "$containerName" + + # Call generate_container_sbom function to generate SBOM + generate_container_sbom \ + "$componentName" \ + "$baseContainerName" \ + "$baseContainerTag" \ + "$containerName" \ + "$componentVersion" \ + "$containerNameSanitized" + + echo "$containerName" >> $TEMPDIR/$file_name_prefix-$componentName$file_ext + + ResetDockerDefaultStorageLocation "$newDockerStorageLocation" + + # Clean up docker storage folder + sudo rm -rf "$newDockerStorageLocation" + + # clean up temp folder + popd > /dev/null + sudo rm -rf $containerBuildDir + + echo "----------------------------------------------------------------------" +} + +function create_cert_manager_subcomp_containers { + local sub_components + local dependency_component + local binary_path + + sub_components=('acmesolver' 'cainjector' 'controller' 'cmctl' 'webhook') + + mkdir -p $OUTPUT_FOLDER/CONTAINER_LISTS_FOLDER + + for subcomp in ${sub_components[@]} + do + dependency_component=$CERT_MANAGER-$subcomp + binary_path=/usr/bin/$subcomp + local pkgsFileName="$subcomp.pkg" + local packagesToInstall=() + getPkgsFromFile $CERT_MANAGER_NO_DASH $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + + echo "+++ create container based on $base_container_name:$base_container_tag for $dependency_component" + create_cert_manager_container_image_base \ + "$dependency_component" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "$CONTAINER_SRC_DIR/$CERT_MANAGER_NO_DASH/Dockerfile-cert-manager" \ + "$binary_path" + + # Save text files generated in TEMPDIR + echo "+++ publish container list into pipeline artifacts" + cp $TEMPDIR/$file_name_prefix-*$file_ext $OUTPUT_FOLDER/CONTAINER_LISTS_FOLDER + + done +} diff --git a/.pipelines/containerSourceData/scripts/BuildGoldenContainers.sh b/.pipelines/containerSourceData/scripts/BuildGoldenContainers.sh new file mode 100755 index 00000000000..050b322277b --- /dev/null +++ b/.pipelines/containerSourceData/scripts/BuildGoldenContainers.sh @@ -0,0 +1,1045 @@ +#!/bin/bash +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +set -e + +# parse script parameters: +# -i -> published base container file +# -m -> folder containing artifacts of CBL-Mariner +# -n -> name of the container registry +# -g -> golden container image +# -o -> folder where to put artifacts to be published +# -s -> manifest tool directory path +# -b -> branch name +# -p -> publishing level +# +while getopts ":i:m:n:g:o:s:b:p:x:" OPTIONS; do + case ${OPTIONS} in + i ) BASE_IMAGE_FOLDER=$OPTARG;; + m ) MARINER_ARTIFACTS_FOLDER=$OPTARG;; + n ) CONTAINER_REGISTRY_NAME=$OPTARG + CONTAINER_REGISTRY_NAME_FULL="$CONTAINER_REGISTRY_NAME.azurecr.io";; + g ) GOLDEN_CONTAINER_IMAGE=$OPTARG;; + o ) OUTPUT_FOLDER=$OPTARG;; + s ) MANIFEST_TOOL_DIR=$OPTARG;; + b ) BRANCH_NAME=$OPTARG;; + p ) PUBLISHING_LEVEL=$OPTARG;; + x ) CONTAINER_SRC_DIR=$OPTARG;; + + \? ) + echo "Error - Invalid Option: -$OPTARG" 1>&2 + exit 1 + ;; + : ) + echo "Error - Invalid Option: -$OPTARG requires an argument" 1>&2 + exit 1 + ;; + esac +done + +MANIFEST_TOOL_DIR="$(cd "$MANIFEST_TOOL_DIR"; pwd)" +OUTPUT_FOLDER="$(cd "$OUTPUT_FOLDER"; pwd)" + +echo "- BASE IMAGE_FOLDER -> $BASE_IMAGE_FOLDER" +echo "- MARINER_ARTIFACTS_FOLDER -> $MARINER_ARTIFACTS_FOLDER" +echo "- CONTAINER_REGISTRY_NAME -> $CONTAINER_REGISTRY_NAME" +echo "- CONTAINER_REGISTRY_NAME_FULL -> $CONTAINER_REGISTRY_NAME_FULL" +echo "- GOLDEN_CONTAINER_IMAGE -> $GOLDEN_CONTAINER_IMAGE" +echo "- BRANCH_NAME -> $BRANCH_NAME" +echo "- PUBLISHING_LEVEL -> $PUBLISHING_LEVEL" +echo "- MANIFEST_TOOL_DIR -> $MANIFEST_TOOL_DIR" +echo "- OUTPUT_FOLDER -> $OUTPUT_FOLDER" + +readonly SCRIPT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && cd .. && pwd )" +readonly ROOT_FOLDER="$(git rev-parse --show-toplevel)" + +# define golden images dependency components +readonly AZURECLI="azure-cli" +readonly AZURECLI_NO_DASH="azurecli" +readonly CDI_BASE_COMPONENT="cdi" +readonly CERT_MANAGER='cert-manager' +readonly CERT_MANAGER_NO_DASH='certmanager' +readonly INFLUX_DB="influxdb" +readonly KUBEVIRT_BASE_COMPONENT="kubevirt" +readonly MEMCACHED="memcached" +readonly MULTUS="multus" +readonly NGINX="nginx" +readonly NODEJS="nodejs" +readonly OPENMPI="openmpi" +readonly PHP="php" +readonly POSTGRES="postgres" +readonly PROMETHEUS="prometheus" +readonly PROMETHEUS_ADAPTER="prometheus-adapter" +readonly PROMETHEUS_ADAPTER_NO_DASH="prometheusadapter" +readonly PYTHON="python" +readonly PYTORCH="pytorch" +readonly RABBITMQSERVER="rabbitmq-server" +readonly RABBITMQSERVER_NO_DASH="rabbitmqserver" +readonly REDIS="redis" +readonly RUBY="ruby" +readonly RUST="rust" +readonly SRIOV_NETWORK_DEVICE_PLUGIN='sriov-network-device-plugin' +readonly SRIOV_NETWORK_DEVICE_PLUGIN_NO_DASH='sriovnetworkdeviceplugin' +readonly TELEGRAF="telegraf" +readonly TENSORFLOW="tensorflow" + +# The RPMS of CDI have containerized-data-importer as its prefix whereas the +# containers must have cdi as its prefix. Hence, the BASE component +# is set to cdi. The folder prefix is same as kubevirt. +readonly CDI_FOLDER_PREFIX=$KUBEVIRT_BASE_COMPONENT +readonly KUBEVIRT_FOLDER_PREFIX=$KUBEVIRT_BASE_COMPONENT + +echo "+++ create temp folder" +TEMPDIR=$ROOT_FOLDER/TEMPDIR_CONTAINER +mkdir -pv "$OUTPUT_FOLDER/SBOM_IMAGES" + +function cleanup { + echo "+++ remove $TEMPDIR" + sudo rm -rf "$TEMPDIR" +} +trap cleanup EXIT + +declare -A COMPONENT_VERSIONS +declare -A BUILDER_IMAGES + +# these variables are used to create text files listing golden image names. +readonly file_name_prefix='PublishedContainers' +readonly file_ext='.txt' + +# Validates the input such as base images exist and the Mariner RPMs tarball exists. +function input_validation { + BASE_IMAGE_FILE=$(find "$BASE_IMAGE_FOLDER" -name "PublishedContainers-base.txt") + if [[ ! -f $BASE_IMAGE_FILE ]]; then + echo "Error - No base image file in $BASE_IMAGE_FOLDER" + exit 1 + fi + + MARINER_RPMS_TARBALL=$(find "$MARINER_ARTIFACTS_FOLDER" -name "rpms.tar.gz" -maxdepth 1) + if [[ ! -f $MARINER_RPMS_TARBALL ]]; then + echo "Error - No Mariner RPMs tarball in $MARINER_ARTIFACTS_FOLDER" + exit 1 + fi +} + +# Reads base container names from the passed in text files +function read_base_container_name { + baseImageName="none" + + while read image; do + if [[ $baseImageName == "none" ]]; then + baseImageName=$image + fi + done < "$BASE_IMAGE_FILE" + + echo "- Full base ACR image name: $baseImageName" + base_container_acr=${baseImageName%%.*} + base_container_name_with_core=${baseImageName%:*} + base_container_name=${base_container_name_with_core%/*} + base_container_tag=${baseImageName#*:} + + echo "Base ACR Name -> $base_container_acr" + echo "Base ACR Container Name -> $base_container_name" + echo "Base ACR Container Tag -> $base_container_tag" +} + +# Builds, Tests, and Publishes Golden Container Image. +# The first argument is the main package name i.e., component name (e.g., nodejs, azure-cli, postgresql, etc) +# The second argument is the image name i.e., container type (e.g., nodejs, azure-cli, postgres, etc) +# The third argument is the base container name +# The fourth argument is the base container tag +# The fifth argument is the set of packages to be installed in the image. +# The sixth argument is the path to the corresponding dockerfile. +# The seventh argument is the runTest flag (0/1) +# The eighth argument is the passed in full containerName +function CreateGoldenContainer { + local componentName=$1 + local containerType=$2 + local baseContainerName=$3 + local baseContainerTag=$4 + local packagesToInstall=$5 + local goldenImageDockerfile=$6 + local runTest=$7 + local originalContainerName=$8 + local containerTypeNoDash + + echo "------ Display Arguments ------" + echo "Component Name: -> $componentName" + echo "Container Type: -> $containerType" + echo "Base Container Name: -> $baseContainerName" + echo "Base Container Tag: -> $baseContainerTag" + echo "Packages to Install: -> $packagesToInstall" + echo "Dockerfile: -> $goldenImageDockerfile" + echo "Test Container: -> $runTest" + echo "Container Name: -> $originalContainerName" + + echo "+++ create container based on $baseContainerName/core:$baseContainerTag for $componentName" + containerTypeNoDash=${containerType//-/} # Removes dash from containerType. Ex: azure-cli -> azurecli + + echo + echo "----------------------------------------------------------------------" + echo "+++ create container $originalContainerName" + + local containerBuildDir="$TEMPDIR/ContainerBuildDir" + hostMountedDir="$TEMPDIR/ContainerBuildDir/Stage" + newDockerStorageLocation="$TEMPDIR/storage" + + mkdir -p "$containerBuildDir" + mkdir -p "$hostMountedDir" + mkdir -p "$newDockerStorageLocation" + + # Copy files into docker context directory + tar -xf "$MARINER_RPMS_TARBALL" -C "$hostMountedDir"/ + cp "$CONTAINER_SRC_DIR/marinerLocalRepo.repo" "$hostMountedDir"/ + cp "$CONTAINER_SRC_DIR/Dockerfile-Initial" "$containerBuildDir/Dockerfile-Initial" + cp "$CONTAINER_SRC_DIR/$containerTypeNoDash/$goldenImageDockerfile" "$containerBuildDir/Dockerfile" + + # Ensure that the path exists before copying files. + if [ -d "$CONTAINER_SRC_DIR/$containerTypeNoDash/configuration-files" ]; then + cp "$CONTAINER_SRC_DIR/$containerTypeNoDash/configuration-files"/* "$containerBuildDir" + fi + + pushd "$containerBuildDir" + + # set Dockerfile + echo "+++ Updating Dockerfile" + mainRunInstruction=$(cat Dockerfile-Initial) + sed -E "s|@INCLUDE_MAIN_RUN_INSTRUCTION@|$mainRunInstruction|g" -i Dockerfile + + cat Dockerfile + + if [ "$DISABLE_DOCKER_REDIRECTION" != "true" ]; then + SetDockerDefaultStorageLocation "$newDockerStorageLocation" + fi + + # Build image + docker buildx build \ + --build-arg BASE_IMAGE="$baseContainerName/core:$baseContainerTag" \ + --build-arg RPMS_TO_INSTALL="$packagesToInstall" \ + -t "$originalContainerName" --no-cache --progress=plain \ + -f $containerBuildDir/Dockerfile . + + # Get the installed package's version + echo "+++ Get version of the installed package in the container" + + local containerId + local installedPackage + local componentVersion + + containerId=$(docker run --entrypoint /bin/bash -dt "$originalContainerName") + # exec as root as the default user for some containers is non-root + # componentName e.g. nodejs-16.16.0-1.cm2.x86_64 + installedPackage=$(docker exec -u 0 "$containerId" tdnf repoquery --installed "$componentName" | grep ^"$componentName") + echo "Full Installed Package: -> $installedPackage" + componentVersion=$(echo "$installedPackage" | awk '{n=split($0,a,"-")};{split(a[n],b,".")}; {print a[n-1]"-"b[1]}') # 16.16.0-1 + echo "Component Version -> $componentVersion" + COMPONENT_VERSIONS[$containerType]=$componentVersion + docker rm -f "$containerId" + + # Rename the image to include package version + # For HCI Images, do not include "-cm" in the image tag; Instead use a "." + if $IS_HCI_IMAGE; then + # Example: acrafoimages.azurecr.io/base/kubevirt/virt-operator:0.59.0-2.2.0.20230607-amd64 + local containerName="$originalContainerName:$componentVersion.$baseContainerTag" + else + # Example: cblmarinermain.azurecr.io/base/nodejs:16.19.1-2-cm2.0.20230607-amd64 + local containerName="$originalContainerName:$componentVersion-cm$baseContainerTag" + fi + + # replace base container registry prefix by golden container registry prefix (if any) + local baseRegistryPrefix="" + local goldenRegistryPrefix="" + getRegistryPrefix 'base' $PUBLISHING_LEVEL $BRANCH_NAME baseRegistryPrefix + getRegistryPrefix $GOLDEN_CONTAINER_IMAGE $PUBLISHING_LEVEL $BRANCH_NAME goldenRegistryPrefix + if [[ -n $goldenRegistryPrefix ]]; then + if [[ -n $baseRegistryPrefix && \ + $containerName == *"$baseRegistryPrefix"* ]]; then + # replace base container registry prefix by golden container registry prefix + echo "replace $baseRegistryPrefix with $goldenRegistryPrefix in $containerName" + containerName=${containerName/"$baseRegistryPrefix"/"$goldenRegistryPrefix"} + else + # add golden container registry prefix + echo "add $goldenRegistryPrefix prefix to $containerName" + containerName=${containerName/"$CONTAINER_REGISTRY_NAME_FULL"/"$CONTAINER_REGISTRY_NAME_FULL/$goldenRegistryPrefix"} + fi + fi + + docker image tag "$originalContainerName" "$containerName" + BUILDER_IMAGES[$componentName]=$containerName + docker rmi -f "$originalContainerName" + echo "Container Name: -> $containerName" + + # Test image + if [ $runTest -ne 0 ]; then + test_golden_container "$containerTypeNoDash" "$containerName" + fi + + # Publish image + publish_container "$containerName" + + local containerNameSanitized + containerNameSanitized=$(echo "$containerName" | tr '/' '-' | tr ':' '_') + + if [[ "$DISABLE_SBOM_GENERATION" != "true" ]]; then + # Call generate_container_sbom function to generate SBOM + generate_container_sbom \ + "$componentName" \ + "$baseContainerName" \ + "$baseContainerTag" \ + "$containerName" \ + "$componentVersion" \ + "$containerNameSanitized" + fi + popd + + if [ "$DISABLE_DOCKER_REDIRECTION" != "true" ]; then + ResetDockerDefaultStorageLocation "$newDockerStorageLocation" + fi + + sudo rm -rf "$newDockerStorageLocation" + + # Clean up temp folder + sudo rm -rf "$containerBuildDir" + + # Save container name + echo "$containerName" >> "$TEMPDIR/$file_name_prefix-$containerTypeNoDash$file_ext" + echo "----------------------------------------------------------------------" + + save_container_list +} + +function DockerBuild { + local containerName=$1 + local marinerVersion=$2 + local imageType=$3 + local packagesToInstall=$4 + local packagesToHoldback=$5 + local installNonrootUser=$6 + local user=root + local userUid=0 + + if $installNonrootUser; then + user="nonroot" + userUid=65532 + fi + + # Create container + docker build . \ + -t "$containerName" \ + -f dockerfiles/dockerfile-new-image \ + --build-arg MARINER_VERSION="$marinerVersion" \ + --build-arg IMAGE_TYPE="$imageType" \ + --build-arg PACKAGES_TO_INSTALL="$packagesToInstall" \ + --build-arg PACKAGES_TO_HOLDBACK="$packagesToHoldback" \ + --build-arg USER="$user" \ + --build-arg USER_UID=$userUid \ + --no-cache \ + --progress=plain +} + +# Builds, Tests, and Publishes Distroless Golden Container Image. +# The first argument is the main package name i.e., component name (e.g., nodejs, azure-cli, postgresql, etc). +# The second argument is the image name i.e., container type (e.g., nodejs, azure-cli, postgres, etc). +# The third argument is the base container tag. +# The fourth argument is the set of packages to be installed in the image. +# The fifth argument is the set of packages to holdback from getting installed. +# The sixth argument is component version. +# The seventh argument is the passed in full containerName. +# The eighth argument is builder image to use in distroless test. +# The ninth argument is the flag to indicate whether to run the test or not. +function CreateDistrolessGoldenContainers { + local componentName=$1 + local containerType=$2 + local baseContainerTag=$3 + local packagesToInstall=$4 + local packagesToHoldback=$5 + local componentVersion=$6 + local containerName=$7 + local builderImage=$8 + local runTest=$9 + local containerTypeNoDash + + echo "------ Display Arguments ------" + echo "Component Name: -> $componentName" + echo "Container Type: -> $containerType" + echo "Base Container Tag: -> $baseContainerTag" + echo "Packages to Install: -> $packagesToInstall" + echo "Packages to Holdback: -> $packagesToHoldback" + echo "Component Version: -> $componentVersion" + echo "Container Name: -> $containerName" + echo "Run Test: -> $runTest" + + echo "+++ create distroless container for $componentName" + containerTypeNoDash=${containerType//-/} # Removes dash from containerType. Ex: azure-cli -> azurecli + + echo + echo "----------------------------------------------------------------------" + echo "+++ create container $containerName" + + local baseRegistryPrefix="" + local goldenRegistryPrefix="" + getRegistryPrefix 'base' $PUBLISHING_LEVEL $BRANCH_NAME baseRegistryPrefix + getRegistryPrefix $GOLDEN_CONTAINER_IMAGE $PUBLISHING_LEVEL $BRANCH_NAME goldenRegistryPrefix + if [[ -n $goldenRegistryPrefix ]]; then + if [[ -n $baseRegistryPrefix && \ + $containerName == *"$baseRegistryPrefix"* ]]; then + # replace base container registry prefix by golden container registry prefix + echo "replace $baseRegistryPrefix with $goldenRegistryPrefix in $containerName" + containerName=${containerName/"$baseRegistryPrefix"/"$goldenRegistryPrefix"} + else + # add golden container registry prefix + echo "add $goldenRegistryPrefix prefix to $containerName" + containerName=${containerName/"$CONTAINER_REGISTRY_NAME_FULL"/"$CONTAINER_REGISTRY_NAME_FULL/$goldenRegistryPrefix"} + fi + echo " -> Modified Container Name: $containerName" + fi + + standardContainerName="$containerName:$componentVersion-cm$base_container_tag" + debugContainerName="$containerName:$componentVersion-debug-cm$base_container_tag" + nonrootContainerName="$containerName:$componentVersion-nonroot-cm$base_container_tag" + debugNonrootContainerName="$containerName:$componentVersion-debug-nonroot-cm$base_container_tag" + + marinara="marinara" + marinaraSrcDir="$TEMPDIR/$marinara-src" + git clone "https://github.com/microsoft/$marinara.git" "$marinaraSrcDir" + pushd "$marinaraSrcDir" + + # replace base container registry prefix by golden container registry prefix (if any) + if [[ -n $baseRegistryPrefix ]]; then + # add base container registry prefix to MARINARA + MARINARA_IMAGE=$CONTAINER_REGISTRY_NAME_FULL/$baseRegistryPrefix/$marinara:$baseContainerTag + else + MARINARA_IMAGE=$CONTAINER_REGISTRY_NAME_FULL/$marinara:$baseContainerTag + fi + echo "MARINARA_IMAGE -> $MARINARA_IMAGE" + + # Get Mariner version from base container tag + OLDIFS=$IFS + IFS='.' + read -ra tag_parts <<< "$baseContainerTag" + IFS=$OLDIFS + + mariner_version="${tag_parts[0]}.0" + + # Update dockerfile-marinara to use the current base container + sed -E "s|^FROM .*builder$|FROM $MARINARA_IMAGE as builder|g" -i "dockerfiles/dockerfile-new-image" + + # Create standard container + DockerBuild "$standardContainerName" "$mariner_version" "custom" "$packagesToInstall" "$packagesToHoldback" false + + # Create debug container + DockerBuild "$debugContainerName" "$mariner_version" "custom-debug" "$packagesToInstall" "$packagesToHoldback" false + + # Create nonroot container + DockerBuild "$nonrootContainerName" "$mariner_version" "custom-nonroot" "$packagesToInstall" "$packagesToHoldback" true + + # Create debug nonroot container + DockerBuild "$debugNonrootContainerName" "$mariner_version" "custom-debug-nonroot" "$packagesToInstall" "$packagesToHoldback" true + + popd > /dev/null + + echo "+++ remove $marinaraSrcDir" + sudo rm -rf "$marinaraSrcDir" + + # Test image + if [ $runTest -ne 0 ]; then + test_distroless_container "$containerTypeNoDash-distroless" "$builderImage" "$standardContainerName" + test_distroless_container "$containerTypeNoDash-distroless" "$builderImage" "$debugContainerName" + test_distroless_container "$containerTypeNoDash-distroless" "$builderImage" "$nonrootContainerName" + test_distroless_container "$containerTypeNoDash-distroless" "$builderImage" "$debugNonrootContainerName" + fi + + # Publish containers + publish_container "$standardContainerName" + publish_container "$debugContainerName" + publish_container "$nonrootContainerName" + publish_container "$debugNonrootContainerName" + + # Save containers names + { + echo "$standardContainerName"; + echo "$debugContainerName"; + echo "$nonrootContainerName"; + echo "$debugNonrootContainerName"; + } >> "$TEMPDIR/$file_name_prefix-$containerTypeNoDash$file_ext" + echo "----------------------------------------------------------------------" + + save_container_list +} + +function getPkgsFromFile() { + local folderName=$1 + local fileName=$2 + local -n array=$3 + while read -r pkg; do + array+=("$pkg") + done < "$CONTAINER_SRC_DIR/$folderName/$fileName" +} + +# Creates azurecli container +function create_azurecli_container { + local pkgsFileName="$AZURECLI_NO_DASH.pkg" + local packagesToInstall=() + getPkgsFromFile $AZURECLI_NO_DASH $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + CreateGoldenContainer \ + "$AZURECLI" \ + "$AZURECLI" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "Dockerfile-AzureCLI" \ + 1 \ + "$base_container_name/$AZURECLI" +} + +# Creates memcached container +function create_memcached_container { + local pkgsFileName="$MEMCACHED.pkg" + local packagesToInstall=() + getPkgsFromFile $MEMCACHED $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + CreateGoldenContainer \ + "$MEMCACHED" \ + "$MEMCACHED" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "Dockerfile-Memcached" \ + 1 \ + "$base_container_name/$MEMCACHED" +} + +# Creates nginx container +function create_nginx_container { + local pkgsFileName="$NGINX.pkg" + local packagesToInstall=() + getPkgsFromFile $NGINX $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + CreateGoldenContainer \ + "$NGINX" \ + "$NGINX" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "Dockerfile-Nginx" \ + 1 \ + "$base_container_name/$NGINX" +} + +# Creates nodejs container +function create_nodejs_container { + local nodejsPkgsFileName="$NODEJS.pkg" + local packagesToInstall=() + getPkgsFromFile $NODEJS $nodejsPkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + CreateGoldenContainer \ + "$NODEJS" \ + "$NODEJS" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "Dockerfile-Nodejs" \ + 1 \ + "$base_container_name/$NODEJS" + + local packagesToInstallInDistrolessNodejs=('distroless-packages-base' 'nodejs') + local packagesInDistrolessNodejs="${packagesToInstallInDistrolessNodejs[*]}" + + local packagesToHoldbackInDistrolessNodejs=('bash' 'bzi' 'coreutils' 'gmp' 'grep' 'libselinux' 'pcre' 'pcre-libs') + local holdbackInDistroless="${packagesToHoldbackInDistrolessNodejs[*]}" + + componentVersion=${COMPONENT_VERSIONS[$NODEJS]} + builderImage=${BUILDER_IMAGES[$NODEJS]} + CreateDistrolessGoldenContainers \ + "$NODEJS" \ + "$NODEJS" \ + "$base_container_tag" \ + "$packagesInDistrolessNodejs" \ + "$holdbackInDistroless" \ + "$componentVersion" \ + "$CONTAINER_REGISTRY_NAME_FULL/distroless/$NODEJS" \ + "$builderImage" \ + 1 + + local nodejs18PkgsFileName="${NODEJS}18.pkg" + local packagesToInstall18=() + getPkgsFromFile $NODEJS $nodejs18PkgsFileName packagesToInstall18 + local packages18="${packagesToInstall18[*]}" + CreateGoldenContainer \ + "${NODEJS}18" \ + "$NODEJS" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages18" \ + "Dockerfile-Nodejs" \ + 1 \ + "$base_container_name/$NODEJS" + + + local packagesToInstallInDistrolessNodejs18=('distroless-packages-base' 'nodejs18') + local packagesInDistrolessNodejs18="${packagesToInstallInDistrolessNodejs18[*]}" + componentVersion=${COMPONENT_VERSIONS[$NODEJS]} + builderImage=${BUILDER_IMAGES[${NODEJS}18]} + CreateDistrolessGoldenContainers \ + "${NODEJS}18" \ + "$NODEJS" \ + "$base_container_tag" \ + "$packagesInDistrolessNodejs18" \ + "$holdbackInDistroless" \ + "$componentVersion" \ + "$CONTAINER_REGISTRY_NAME_FULL/distroless/$NODEJS" \ + "$builderImage" \ + 1 +} + +# Creates php container +function create_php_container { + local pkgsFileName="$PHP.pkg" + local packagesToInstall=() + getPkgsFromFile $PHP $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + CreateGoldenContainer \ + "$PHP" \ + "$PHP" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "Dockerfile-PHP" \ + 1 \ + "$base_container_name/$PHP" +} + +# Creates python container +function create_python_container { + local pkgsFileName="$PYTHON.pkg" + local packagesToInstall=() + getPkgsFromFile $PYTHON $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + CreateGoldenContainer \ + "$PYTHON" \ + "$PYTHON" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "Dockerfile-Python" \ + 1 \ + "$base_container_name/$PYTHON" + + local packagesToInstallInDistroless=('distroless-packages-base' 'python3') + local packagesInDistroless="${packagesToInstallInDistroless[*]}" + + local packagesToHoldbackInDistroless=('bash' 'grep' 'coreutils' 'gmp' 'libselinux' 'pcre' 'pcre-libs') + local holdbackInDistroless="${packagesToHoldbackInDistroless[*]}" + + componentVersion=${COMPONENT_VERSIONS[$PYTHON]} + builderImage=${BUILDER_IMAGES[$PYTHON]} + CreateDistrolessGoldenContainers \ + "$PYTHON" \ + "$PYTHON" \ + "$base_container_tag" \ + "$packagesInDistroless" \ + "$holdbackInDistroless" \ + "$componentVersion" \ + "$CONTAINER_REGISTRY_NAME_FULL/distroless/$PYTHON" \ + "$builderImage" \ + 0 +} + +# Creates pytorch container +function create_pytorch_container { + local pkgsFileName="$PYTORCH.pkg" + local packagesToInstall=() + getPkgsFromFile $PYTORCH $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + CreateGoldenContainer \ + "${PYTHON}3-$PYTORCH" \ + "$PYTORCH" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "Dockerfile-Pytorch" \ + 1 \ + "$base_container_name/$PYTORCH" +} + +# Creates rabbitmq-server container +function create_rabbitmqserver_container { + local pkgsFileName="$RABBITMQSERVER_NO_DASH.pkg" + local packagesToInstall=() + getPkgsFromFile $RABBITMQSERVER_NO_DASH $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + CreateGoldenContainer \ + "$RABBITMQSERVER" \ + "$RABBITMQSERVER" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "Dockerfile-rabbitmq-server" \ + 0 \ + "$base_container_name/$RABBITMQSERVER" +} + +# Creates ruby container +function create_ruby_container { + # Packages already installed in base mariner -> readline, zlib, bzip2. + # Replacement ruby runtime dependency: + # musl -> glibc, kernel-headers, binutils; no musl rpm in PMC. + local pkgsFileName="$RUBY.pkg" + local packagesToInstall=() + getPkgsFromFile $RUBY $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + CreateGoldenContainer \ + "$RUBY" \ + "$RUBY" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "Dockerfile-Ruby" \ + 1 \ + "$base_container_name/$RUBY" +} + +# Creates rust container +function create_rust_container { + local pkgsFileName="$RUST.pkg" + local packagesToInstall=() + getPkgsFromFile $RUST $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + CreateGoldenContainer \ + "$RUST" \ + "$RUST" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "Dockerfile-Rust" \ + 0 \ + "$base_container_name/$RUST" +} + +# Creates postgres container +function create_postgres_container { + local pkgsFileName="$POSTGRES.pkg" + local packagesToInstall=() + getPkgsFromFile $POSTGRES $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + CreateGoldenContainer \ + "${POSTGRES}ql" \ + "$POSTGRES" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "Dockerfile-Postgres" \ + 1 \ + "$base_container_name/$POSTGRES" +} + +# Creates InfluxDB container +function create_influxdb_container { + local pkgsFileName="$INFLUX_DB.pkg" + local packagesToInstall=() + getPkgsFromFile $INFLUX_DB $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + CreateGoldenContainer \ + "$INFLUX_DB" \ + "$INFLUX_DB" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "Dockerfile-Influxdb" \ + 1 \ + "$base_container_name/$INFLUX_DB" +} + +# Creates prometheus container +function create_prometheus_container { + local pkgsFileName="$PROMETHEUS.pkg" + local packagesToInstall=() + getPkgsFromFile $PROMETHEUS $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + CreateGoldenContainer \ + "$PROMETHEUS" \ + "$PROMETHEUS" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "Dockerfile-Prometheus" \ + 1 \ + "$base_container_name/$PROMETHEUS" + + local packagesToInstallInDistroless=('distroless-packages-base' 'prometheus') + local packagesInDistroless="${packagesToInstallInDistroless[*]}" + + # Potentially extraneous, can be investigated more. + local packagesToHoldbackInDistroless=('bash' 'grep' 'coreutils' 'gmp' 'libselinux' 'pcre' 'pcre-libs') + local holdbackInDistroless="${packagesToHoldbackInDistroless[*]}" + + componentVersion=${COMPONENT_VERSIONS["$PROMETHEUS"]} + builderImage=${BUILDER_IMAGES[$PROMETHEUS]} + CreateDistrolessGoldenContainers \ + "$PROMETHEUS" \ + "$PROMETHEUS" \ + "$base_container_tag" \ + "$packagesInDistroless" \ + "$holdbackInDistroless" \ + "$componentVersion" \ + "$CONTAINER_REGISTRY_NAME_FULL/distroless/$PROMETHEUS" \ + "$builderImage" \ + 0 +} + +function create_redis_container { + local pkgsFileName="$REDIS.pkg" + local packagesToInstall=() + getPkgsFromFile $REDIS $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + CreateGoldenContainer \ + "$REDIS" \ + "$REDIS" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "Dockerfile-Redis" \ + 1 \ + "$base_container_name/$REDIS" +} + +# Creates prometheus-adapter container +function create_prometheus_adapter_container { + local pkgsFileName="$PROMETHEUS_ADAPTER_NO_DASH.pkg" + local packagesToInstall=() + getPkgsFromFile $PROMETHEUS_ADAPTER_NO_DASH $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + CreateGoldenContainer \ + "$PROMETHEUS_ADAPTER" \ + "$PROMETHEUS_ADAPTER" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "Dockerfile-Prometheus-Adapter" \ + 0 \ + "$base_container_name/$PROMETHEUS_ADAPTER" + + local packagesToInstallInDistroless=('distroless-packages-base' 'prometheus-adapter') + local packagesInDistroless="${packagesToInstallInDistroless[*]}" + + # Potentially extraneous, can be investigated more. + local packagesToHoldbackInDistroless=('bash' 'grep' 'coreutils' 'gmp' 'libselinux' 'pcre' 'pcre-libs') + local holdbackInDistroless="${packagesToHoldbackInDistroless[*]}" + + componentVersion=${COMPONENT_VERSIONS["$PROMETHEUS_ADAPTER"]} + builderImage=${BUILDER_IMAGES[$PROMETHEUS_ADAPTER]} + CreateDistrolessGoldenContainers \ + "$PROMETHEUS_ADAPTER" \ + "$PROMETHEUS_ADAPTER" \ + "$base_container_tag" \ + "$packagesInDistroless" \ + "$holdbackInDistroless" \ + "$componentVersion" \ + "$CONTAINER_REGISTRY_NAME_FULL/distroless/$PROMETHEUS_ADAPTER" \ + "$builderImage" \ + 0 +} + +# Creates telegraf container +function create_telegraf_container { + local pkgsFileName="$TELEGRAF.pkg" + local packagesToInstall=() + getPkgsFromFile $TELEGRAF $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + CreateGoldenContainer \ + "$TELEGRAF" \ + "$TELEGRAF" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "Dockerfile-Telegraf" \ + 1 \ + "$base_container_name/$TELEGRAF" +} + +# Creates tensorflow container +function create_tensorflow_container { + local pkgsFileName="$TENSORFLOW.pkg" + local packagesToInstall=() + getPkgsFromFile $TENSORFLOW $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + CreateGoldenContainer \ + "python3-${TENSORFLOW}" \ + "$TENSORFLOW" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "Dockerfile-Tensorflow" \ + 1 \ + "$base_container_name/$TENSORFLOW" +} + +# Creates openmpi container +function create_openmpi_container { + local pkgsFileName="$OPENMPI.pkg" + local packagesToInstall=() + getPkgsFromFile $OPENMPI $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + CreateGoldenContainer \ + "$OPENMPI" \ + "$OPENMPI" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "Dockerfile-Openmpi" \ + 1 \ + "$base_container_name/$OPENMPI" +} + +# ---- Mariner HCI IMAGES ---- + +# Creates Cdi containers +function create_cdi_containers { + source $CONTAINER_SRC_DIR/scripts/BuildCdiContainers.sh + create_cdi_subcomp_containers +} + +# Creates Cert-Manager containers +function create_cert_manager_containers { + source $CONTAINER_SRC_DIR/scripts/BuildCertManagerContainers.sh + create_cert_manager_subcomp_containers +} + +# Create containers for each of the kubevirt sub components - +# virt-operator, virt-api, virt-handler, virt-launcher, virt-controller +function create_kubevirt_containers { + source $CONTAINER_SRC_DIR/scripts/BuildKubevirtContainers.sh + create_kubevirt_subcomp_containers +} + +# Create Multus container +function create_multus_container_helper { + source $CONTAINER_SRC_DIR/scripts/BuildMultusContainer.sh + create_multus_container +} + +# Create Sriov network device plugin container +function create_sriov_dp_containers { + source $CONTAINER_SRC_DIR/scripts/BuildSriovDpContainer.sh + create_sriov_dp_container +} + +function start_building_containers { + case $GOLDEN_CONTAINER_IMAGE in + + "$AZURECLI_NO_DASH") + create_azurecli_container + ;; + + "$MEMCACHED") + create_memcached_container + ;; + + "$NGINX") + create_nginx_container + ;; + + "$NODEJS") + create_nodejs_container + ;; + + "$PHP") + create_php_container + ;; + + "$PYTHON") + create_python_container + ;; + + "$RABBITMQSERVER_NO_DASH") + create_rabbitmqserver_container + ;; + + "$REDIS") + create_redis_container + ;; + + "$RUBY") + create_ruby_container + ;; + + "$RUST") + create_rust_container + ;; + + "$POSTGRES") + create_postgres_container + ;; + + "$INFLUX_DB") + create_influxdb_container + ;; + + "$PROMETHEUS") + create_prometheus_container + ;; + + "$PROMETHEUS_ADAPTER_NO_DASH") + create_prometheus_adapter_container + ;; + + "$PYTORCH") + create_pytorch_container + ;; + + "$TELEGRAF") + create_telegraf_container + ;; + + "$TENSORFLOW") + create_tensorflow_container + ;; + + "$OPENMPI") + create_openmpi_container + ;; + + "$CDI_BASE_COMPONENT") + create_cdi_containers + ;; + + "$CERT_MANAGER_NO_DASH") + create_cert_manager_containers + ;; + + "$KUBEVIRT_BASE_COMPONENT") + create_kubevirt_containers + ;; + + "$MULTUS") + create_multus_container_helper + ;; + + "$SRIOV_NETWORK_DEVICE_PLUGIN_NO_DASH") + create_sriov_dp_containers + ;; + esac +} + +# source the CommonFunctions script to get the following functions: +# - azure_login +# - generate_container_sbom +# - SetDockerDefaultStorageLocation +# - ResetDockerDefaultStorageLocation +# - save_container_list +# - test_golden_container +# - publish_container +# - getRegistryPrefix +source $CONTAINER_SRC_DIR/scripts/CommonFunctions.sh + +input_validation +read_base_container_name +azure_login "$base_container_acr" + +# Create a variable to store the value of whether GOLDEN_CONTAINER_IMAGE is an HCI image +export IS_HCI_IMAGE=false +checkIfHciImage IS_HCI_IMAGE +echo "Is this an HCI Image: $IS_HCI_IMAGE" + +start_building_containers diff --git a/.pipelines/containerSourceData/scripts/BuildKubevirtContainers.sh b/.pipelines/containerSourceData/scripts/BuildKubevirtContainers.sh new file mode 100755 index 00000000000..47b57091281 --- /dev/null +++ b/.pipelines/containerSourceData/scripts/BuildKubevirtContainers.sh @@ -0,0 +1,180 @@ +#!/bin/bash +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +function create_kubevirt_container_image_base { + local componentName=$1 + local containerType=$2 + local baseContainerName=$3 + local baseContainerTag=$4 + local packagesToInstall=$5 + local goldenImageDockerfile=$6 + local originalContainerName=$7 + local containerTypeNoDash + + echo "------ Display Arguments ------" + echo "Component Name: -> $componentName" + echo "Container Type: -> $containerType" + echo "Base Container Name: -> $baseContainerName" + echo "Base Container Tag: -> $baseContainerTag" + echo "Packages to Install: -> $packagesToInstall" + echo "Dockerfile: -> $goldenImageDockerfile" + echo "Container Name: -> $originalContainerName" + + echo "+++ create container based on $baseContainerName/core:$baseContainerTag for $componentName" + containerTypeNoDash=${containerType//-/} + + echo + echo "----------------------------------------------------------------------" + echo "+++ create container $originalContainerName" + + local containerBuildDir="$TEMPDIR/ContainerBuildDir" + hostMountedDir="$TEMPDIR/ContainerBuildDir/Stage" + newDockerStorageLocation="$TEMPDIR/storage" + + mkdir -p "$containerBuildDir" + mkdir -p "$hostMountedDir" + mkdir -p "$newDockerStorageLocation" + + # Copy files into docker context directory + tar -xf "$MARINER_RPMS_TARBALL" -C "$hostMountedDir"/ + cp "$CONTAINER_SRC_DIR/marinerLocalRepo.repo" "$hostMountedDir"/ + cp "$CONTAINER_SRC_DIR/Dockerfile-Initial" "$containerBuildDir/Dockerfile-Initial" + cp "$CONTAINER_SRC_DIR/$KUBEVIRT_BASE_COMPONENT/$goldenImageDockerfile" "$containerBuildDir/Dockerfile" + + # Ensure that the path exists before copying files. + if [ -d "$CONTAINER_SRC_DIR/$KUBEVIRT_BASE_COMPONENT/configuration-files" ]; then + cp "$CONTAINER_SRC_DIR/$KUBEVIRT_BASE_COMPONENT/configuration-files"/* "$containerBuildDir" + fi + + pushd "$containerBuildDir" + + # set Dockerfile + echo "+++ Updating Dockerfile" + mainRunInstruction=$(cat Dockerfile-Initial) + sed -E "s|@INCLUDE_MAIN_RUN_INSTRUCTION@|$mainRunInstruction|g" -i Dockerfile + + cat Dockerfile + + if [ "$DISABLE_DOCKER_REDIRECTION" != "true" ]; then + SetDockerDefaultStorageLocation "$newDockerStorageLocation" + fi + + # Build image + docker buildx build \ + --build-arg BASE_IMAGE="$baseContainerName/core:$baseContainerTag" \ + --build-arg RPMS_TO_INSTALL="$packagesToInstall" \ + -t "$originalContainerName" --no-cache --progress=plain \ + -f $containerBuildDir/Dockerfile . + + # Get the installed package's version + echo "+++ Get version of the installed package in the container" + + local containerId + local installedPackage + local componentVersion + + containerId=$(docker run --entrypoint /bin/bash -dt "$originalContainerName") + # exec as root as the default user for some containers is non-root + # componentName e.g. nodejs-16.16.0-1.cm2.x86_64 + installedPackage=$(docker exec -u 0 "$containerId" tdnf repoquery --installed "$componentName" | grep ^"$componentName") + echo "Full Installed Package: -> $installedPackage" + componentVersion=$(echo "$installedPackage" | awk '{n=split($0,a,"-")};{split(a[n],b,".")}; {print a[n-1]"-"b[1]}') # 16.16.0-1 + echo "Component Version -> $componentVersion" + docker rm -f "$containerId" + + # Rename the image to include package version + # For HCI Images, do not include "-cm" in the image tag; Instead use a "." + if $IS_HCI_IMAGE; then + # Example: acrafoimages.azurecr.io/base/kubevirt/virt-operator:0.59.0-2.2.0.20230607-amd64 + local containerName="$originalContainerName:$componentVersion.$baseContainerTag" + else + # Example: cblmarinermain.azurecr.io/base/nodejs:16.19.1-2-cm2.0.20230607-amd64 + local containerName="$originalContainerName:$componentVersion-cm$baseContainerTag" + fi + + # replace base container registry prefix by golden container registry prefix (if any) + local baseRegistryPrefix="" + local goldenRegistryPrefix="" + getRegistryPrefix 'base' $PUBLISHING_LEVEL $BRANCH_NAME baseRegistryPrefix + getRegistryPrefix $GOLDEN_CONTAINER_IMAGE $PUBLISHING_LEVEL $BRANCH_NAME goldenRegistryPrefix + if [[ -n $goldenRegistryPrefix ]]; then + if [[ -n $baseRegistryPrefix && \ + $containerName == *"$baseRegistryPrefix"* ]]; then + # replace base container registry prefix by golden container registry prefix + echo "replace $baseRegistryPrefix with $goldenRegistryPrefix in $containerName" + containerName=${containerName/"$baseRegistryPrefix"/"$goldenRegistryPrefix"} + else + # add golden container registry prefix + echo "add $goldenRegistryPrefix prefix to $containerName" + containerName=${containerName/"$CONTAINER_REGISTRY_NAME_FULL"/"$CONTAINER_REGISTRY_NAME_FULL/$goldenRegistryPrefix"} + fi + fi + + docker image tag "$originalContainerName" "$containerName" + docker rmi -f "$originalContainerName" + echo "Container Name: -> $containerName" + + # Publish image + publish_container "$containerName" + + local containerNameSanitized + containerNameSanitized=$(echo "$containerName" | tr '/' '-' | tr ':' '_') + + if [[ "$DISABLE_SBOM_GENERATION" != "true" ]]; then + # Call generate_container_sbom function to generate SBOM + generate_container_sbom \ + "$componentName" \ + "$baseContainerName" \ + "$baseContainerTag" \ + "$containerName" \ + "$componentVersion" \ + "$containerNameSanitized" + fi + popd + + if [ "$DISABLE_DOCKER_REDIRECTION" != "true" ]; then + ResetDockerDefaultStorageLocation "$newDockerStorageLocation" + fi + + sudo rm -rf "$newDockerStorageLocation" + + # Clean up temp folder + sudo rm -rf "$containerBuildDir" + + # Save container name + echo "$containerName" >> "$TEMPDIR/$file_name_prefix-$containerTypeNoDash$file_ext" + echo "----------------------------------------------------------------------" + + save_container_list +} + +function create_kubevirt_subcomp_containers { + # NOTE: qemu and edk2 are architecture specific packages. + # Include this if when edk2 is availble for ARM as well + # if [[ $CONTAINER_ARCHITECTURE == "*AMD64*" ]]; then + # else add virtlauncher_rpmsToInstall+=('qemu-system-aarch64') + + mkdir -p $OUTPUT_FOLDER/CONTAINER_LISTS_FOLDER + local sub_components + sub_components=('virt-operator' 'virt-api' 'virt-controller' 'virt-handler' 'virt-launcher') + + for comp in ${sub_components[@]} + do + # To build for specific versions - include it here with the name + dependency_component=$KUBEVIRT_BASE_COMPONENT-$comp + local pkgsFileName="$comp.pkg" + local packagesToInstall=() + getPkgsFromFile $KUBEVIRT_BASE_COMPONENT $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + echo "packages to install " $packages + create_kubevirt_container_image_base \ + "$dependency_component" \ + "$comp" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "Dockerfile-$dependency_component" \ + "$CONTAINER_REGISTRY_NAME_FULL/base/$KUBEVIRT_FOLDER_PREFIX/$comp" + done +} diff --git a/.pipelines/containerSourceData/scripts/BuildMultusContainer.sh b/.pipelines/containerSourceData/scripts/BuildMultusContainer.sh new file mode 100644 index 00000000000..8ac9670b71b --- /dev/null +++ b/.pipelines/containerSourceData/scripts/BuildMultusContainer.sh @@ -0,0 +1,140 @@ +#!/bin/bash +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +function create_multus_container_image_base { + local componentName + local baseContainerName + local baseContainerTag + local containerBuildDir + local initialDockerfile + local packagesToInstall + + # $1: component name + # $2: container name + # $3: container tag + # $4: packages to install + # $5: initial Dockerfile + componentName=$1 + baseContainerName=$2 + baseContainerTag=$3 + packagesToInstall=$4 + initialDockerfile=$5 + + local originalContainerName="$CONTAINER_REGISTRY_NAME_FULL/base/$componentName" + + echo + echo "----------------------------------------------------------------------" + echo "+++ create container $containerName" + + containerBuildDir="$TEMPDIR/ContainerBuildDir" + hostMountedDir="$TEMPDIR/ContainerBuildDir/Stage" + newDockerStorageLocation="$TEMPDIR/storage" + + mkdir -p "$containerBuildDir" + mkdir -p "$hostMountedDir" + mkdir -p "$newDockerStorageLocation" + + # Copy files into docker context directory + tar -xf "$MARINER_RPMS_TARBALL" -C "$hostMountedDir"/ + cp "$CONTAINER_SRC_DIR/marinerLocalRepo.repo" "$hostMountedDir"/ + cp "$CONTAINER_SRC_DIR/Dockerfile-Initial" "$containerBuildDir/Dockerfile-Initial" + cp $initialDockerfile $containerBuildDir/Dockerfile + + pushd $containerBuildDir > /dev/null + + # set Dockerfile + echo "+++ Updating Dockerfile" + mainRunInstruction=$(cat Dockerfile-Initial) + sed -E "s|@INCLUDE_MAIN_RUN_INSTRUCTION@|$mainRunInstruction|g" -i Dockerfile + + SetDockerDefaultStorageLocation "$newDockerStorageLocation" + + # Build image + docker buildx build \ + --build-arg BASE_IMAGE="$baseContainerName/core:$baseContainerTag" \ + --build-arg RPMS_TO_INSTALL="$packagesToInstall" \ + -t "$originalContainerName" --no-cache --progress=plain . + + # Get the installed package's version + echo "+++ Get version of the installed package in the container" + + local containerId=$(docker run --entrypoint /bin/bash -dt "$originalContainerName") + local installedPackage=$(docker exec "$containerId" rpm -qa | grep ^"$componentName") # nodejs-16.16.0-1.cm2.x86_64 + echo "Full Installed Package: -> $installedPackage" + local componentVersion=$(echo "$installedPackage" | awk '{n=split($0,a,"-")};{split(a[n],b,".")}; {print a[n-1]"-"b[1]}') # 16.16.0-1 + echo "Component Version -> $componentVersion" + docker rm -f "$containerId" + + # Rename the image to include package version + local containerName="$originalContainerName:$componentVersion.$baseContainerTag" + # replace base container registry prefix by golden container registry prefix (if any) + local baseRegistryPrefix="" + local goldenRegistryPrefix="" + getRegistryPrefix 'base' $PUBLISHING_LEVEL $BRANCH_NAME baseRegistryPrefix + getRegistryPrefix $GOLDEN_CONTAINER_IMAGE $PUBLISHING_LEVEL $BRANCH_NAME goldenRegistryPrefix + if [[ -n $goldenRegistryPrefix ]]; then + if [[ -n $baseRegistryPrefix && \ + $containerName == *"$baseRegistryPrefix"* ]]; then + # replace base container registry prefix by golden container registry prefix + echo "replace $baseRegistryPrefix with $goldenRegistryPrefix in $containerName" + containerName=${containerName/"$baseRegistryPrefix"/"$goldenRegistryPrefix"} + else + # add golden container registry prefix + echo "add $goldenRegistryPrefix prefix to $containerName" + containerName=${containerName/"$CONTAINER_REGISTRY_NAME_FULL"/"$CONTAINER_REGISTRY_NAME_FULL/$goldenRegistryPrefix"} + fi + fi + + docker image tag "$originalContainerName" "$containerName" + docker rmi -f "$originalContainerName" + echo "Container Name: -> $containerName" + + local containerNameSanitized=$(echo "$containerName" | tr '/' '-' | tr ':' '_') + + publish_container "$containerName" + + # Call generate_container_sbom function to generate SBOM + generate_container_sbom \ + "$componentName" \ + "$baseContainerName" \ + "$baseContainerTag" \ + "$containerName" \ + "$componentVersion" \ + "$containerNameSanitized" + + echo "$containerName" >> $TEMPDIR/$file_name_prefix-$componentName$file_ext + + ResetDockerDefaultStorageLocation "$newDockerStorageLocation" + + # Clean up docker storage folder + sudo rm -rf "$newDockerStorageLocation" + + # clean up temp folder + popd > /dev/null + sudo rm -rf $containerBuildDir + + echo "----------------------------------------------------------------------" +} + +function create_multus_container { + mkdir -p $OUTPUT_FOLDER/CONTAINER_LISTS_FOLDER + local dependency_component=$MULTUS + local pkgsFileName="$MULTUS.pkg" + local packagesToInstall=() + getPkgsFromFile $MULTUS $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + + echo "+++ create container based on $base_container_name:$base_container_tag for $dependency_component" + create_multus_container_image_base \ + "$dependency_component" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "$CONTAINER_SRC_DIR/$MULTUS/Dockerfile-Multus" + + # Save text files generated in TEMPDIR + echo "+++ publish container list into pipeline artifacts" + cp $TEMPDIR/$file_name_prefix-*$file_ext $OUTPUT_FOLDER/CONTAINER_LISTS_FOLDER + +} \ No newline at end of file diff --git a/.pipelines/containerSourceData/scripts/BuildSriovDpContainer.sh b/.pipelines/containerSourceData/scripts/BuildSriovDpContainer.sh new file mode 100644 index 00000000000..83ef625e87f --- /dev/null +++ b/.pipelines/containerSourceData/scripts/BuildSriovDpContainer.sh @@ -0,0 +1,139 @@ +#!/bin/bash +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +function create_sriov_dp_container_image_base { + local componentName + local baseContainerName + local baseContainerTag + local containerBuildDir + local initialDockerfile + local packagesToInstall + + # $1: component name + # $2: container name + # $3: container tag + # $4: packages to install + # $5: initial Dockerfile + componentName=$1 + baseContainerName=$2 + baseContainerTag=$3 + packagesToInstall=$4 + initialDockerfile=$5 + + local originalContainerName="$CONTAINER_REGISTRY_NAME_FULL/base/$componentName" + + echo + echo "----------------------------------------------------------------------" + echo "+++ create container $containerName" + + containerBuildDir="$TEMPDIR/ContainerBuildDir" + hostMountedDir="$TEMPDIR/ContainerBuildDir/Stage" + newDockerStorageLocation="$TEMPDIR/storage" + + mkdir -p "$containerBuildDir" + mkdir -p "$hostMountedDir" + mkdir -p "$newDockerStorageLocation" + + # Copy files into docker context directory + tar -xf "$MARINER_RPMS_TARBALL" -C "$hostMountedDir"/ + cp "$CONTAINER_SRC_DIR/marinerLocalRepo.repo" "$hostMountedDir"/ + cp "$CONTAINER_SRC_DIR/Dockerfile-Initial" "$containerBuildDir/Dockerfile-Initial" + cp $initialDockerfile $containerBuildDir/Dockerfile + + pushd $containerBuildDir > /dev/null + + # set Dockerfile + echo "+++ Updating Dockerfile" + mainRunInstruction=$(cat Dockerfile-Initial) + sed -E "s|@INCLUDE_MAIN_RUN_INSTRUCTION@|$mainRunInstruction|g" -i Dockerfile + + SetDockerDefaultStorageLocation "$newDockerStorageLocation" + + # Build image + docker buildx build \ + --build-arg BASE_IMAGE="$baseContainerName/core:$baseContainerTag" \ + --build-arg RPMS_TO_INSTALL="$packagesToInstall" \ + -t "$originalContainerName" --no-cache --progress=plain . + + # Get the installed package's version + echo "+++ Get version of the installed package in the container" + + local containerId=$(docker run --entrypoint /bin/bash -dt "$originalContainerName") + local installedPackage=$(docker exec "$containerId" rpm -qa | grep ^"$componentName") # nodejs-16.16.0-1.cm2.x86_64 + echo "Full Installed Package: -> $installedPackage" + local componentVersion=$(echo "$installedPackage" | awk '{n=split($0,a,"-")};{split(a[n],b,".")}; {print a[n-1]"-"b[1]}') # 16.16.0-1 + echo "Component Version -> $componentVersion" + docker rm -f "$containerId" + + # Rename the image to include package version + local containerName="$originalContainerName:$componentVersion.$baseContainerTag" + # replace base container registry prefix by golden container registry prefix (if any) + local baseRegistryPrefix="" + local goldenRegistryPrefix="" + getRegistryPrefix 'base' $PUBLISHING_LEVEL $BRANCH_NAME baseRegistryPrefix + getRegistryPrefix $GOLDEN_CONTAINER_IMAGE $PUBLISHING_LEVEL $BRANCH_NAME goldenRegistryPrefix + if [[ -n $goldenRegistryPrefix ]]; then + if [[ -n $baseRegistryPrefix && \ + $containerName == *"$baseRegistryPrefix"* ]]; then + # replace base container registry prefix by golden container registry prefix + echo "replace $baseRegistryPrefix with $goldenRegistryPrefix in $containerName" + containerName=${containerName/"$baseRegistryPrefix"/"$goldenRegistryPrefix"} + else + # add golden container registry prefix + echo "add $goldenRegistryPrefix prefix to $containerName" + containerName=${containerName/"$CONTAINER_REGISTRY_NAME_FULL"/"$CONTAINER_REGISTRY_NAME_FULL/$goldenRegistryPrefix"} + fi + fi + + docker image tag "$originalContainerName" "$containerName" + docker rmi -f "$originalContainerName" + echo "Container Name: -> $containerName" + + local containerNameSanitized=$(echo "$containerName" | tr '/' '-' | tr ':' '_') + + publish_container "$containerName" + + # Call generate_container_sbom function to generate SBOM + generate_container_sbom \ + "$componentName" \ + "$baseContainerName" \ + "$baseContainerTag" \ + "$containerName" \ + "$componentVersion" \ + "$containerNameSanitized" + + echo "$containerName" >> $TEMPDIR/$file_name_prefix-$componentName$file_ext + + ResetDockerDefaultStorageLocation "$newDockerStorageLocation" + + # Clean up docker storage folder + sudo rm -rf "$newDockerStorageLocation" + + # clean up temp folder + popd > /dev/null + sudo rm -rf $containerBuildDir + + echo "----------------------------------------------------------------------" +} + +function create_sriov_dp_container { + mkdir -p $OUTPUT_FOLDER/CONTAINER_LISTS_FOLDER + local dependency_component=$SRIOV_NETWORK_DEVICE_PLUGIN + local pkgsFileName="$SRIOV_NETWORK_DEVICE_PLUGIN_NO_DASH.pkg" + local packagesToInstall=() + getPkgsFromFile $SRIOV_NETWORK_DEVICE_PLUGIN_NO_DASH $pkgsFileName packagesToInstall + local packages="${packagesToInstall[*]}" + + echo "+++ create container based on $base_container_name:$base_container_tag for $dependency_component" + create_sriov_dp_container_image_base \ + "$dependency_component" \ + "$base_container_name" \ + "$base_container_tag" \ + "$packages" \ + "$CONTAINER_SRC_DIR/$SRIOV_NETWORK_DEVICE_PLUGIN_NO_DASH/Dockerfile-sriov-network-device-plugin" + + # Save text files generated in TEMPDIR + echo "+++ publish container list into pipeline artifacts" + cp $TEMPDIR/$file_name_prefix-*$file_ext $OUTPUT_FOLDER/CONTAINER_LISTS_FOLDER +} \ No newline at end of file diff --git a/.pipelines/containerSourceData/scripts/CommonFunctions.sh b/.pipelines/containerSourceData/scripts/CommonFunctions.sh new file mode 100755 index 00000000000..0b06d2990bb --- /dev/null +++ b/.pipelines/containerSourceData/scripts/CommonFunctions.sh @@ -0,0 +1,243 @@ +#!/bin/bash +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# Logs into Azure +function azure_login { + # Note this script assumes that az login has already been done + echo " -> login into ACR $1" + az acr login --name "$1" +} + +# Builds SBOM +function generate_container_sbom { + local component_name=$1 + local base_container_name=$2 + local base_container_tag=$3 + local container_name=$4 + local component_version_revision=$5 + local container_name_sanitized=$6 + + echo + echo "=====================================================================" + echo "Generate SBOM for containers $container_image_name" + echo "=====================================================================" + echo + + DOCKER_BUILD_DIR="$(pwd)" + + # generate-container-sbom.sh will create the SBOM at the following path + IMAGE_SBOM_MANIFEST_PATH="$DOCKER_BUILD_DIR/_manifest/spdx_2.2/manifest.spdx.json" + "$ROOT_FOLDER"/.pipelines/generate-container-sbom.sh \ + "$DOCKER_BUILD_DIR" \ + "$container_name" \ + "$MANIFEST_TOOL_DIR" \ + "$base_container_name-$component_name" \ + "$component_version_revision-cm$base_container_tag" + + cp -v "$IMAGE_SBOM_MANIFEST_PATH" "$OUTPUT_FOLDER/SBOM_IMAGES/$container_name_sanitized.spdx.json" + echo "Generated SBOM:'$OUTPUT_FOLDER/SBOM_IMAGES/$container_name_sanitized.spdx.json'" +} + +readonly DOCKER_DAEMON_JSON_FILE="/etc/docker/daemon.json" +readonly DOCKER_DAEMON_JSON_BACKUP_FILE="/etc/docker/daemon.json.cfbackup" + +# Sets the docker storage location to a user provided path which larger disk space +function SetDockerDefaultStorageLocation { + local newLocation=$1 + echo "Change docker default storage location" + echo "Default docker storage location" + sudo systemctl start docker + docker info | grep "Docker Root Dir" + + echo "Stop docker" + sudo systemctl stop docker.service + sudo systemctl stop docker.socket + + ls -lR /etc/docker + + # Do not clobber existing backup to not accidentally overwrite the valid backup + if [ ! -f $DOCKER_DAEMON_JSON_BACKUP_FILE ] && [ -f $DOCKER_DAEMON_JSON_FILE ]; then + echo "Backup daemon.json" + sudo cp $DOCKER_DAEMON_JSON_FILE $DOCKER_DAEMON_JSON_BACKUP_FILE + fi + + echo "Copy data-root property to daemon.json" + echo "{ \"data-root\": \"${newLocation}\" }" > daemon.json + + echo "Display daemon.json" + sudo cat daemon.json + + echo "Copy daemon.json to docker" + sudo cp daemon.json $DOCKER_DAEMON_JSON_FILE + + mkdir -p "${newLocation}" + + echo "Restart docker" + sudo systemctl daemon-reload + sudo systemctl start docker + + echo "New docker storage location" + docker info | grep "Docker Root Dir" + + echo "--------------------------------------------" +} + +# Resets the docker storage location from backup +function ResetDockerDefaultStorageLocation { + local currentLocation=$1 + echo "Reset docker default storage location" + echo "Stop docker" + sudo systemctl stop docker.service + sudo systemctl stop docker.socket + + echo "Recovering daemon.json from backup" + if [ -f $DOCKER_DAEMON_JSON_BACKUP_FILE ]; then + sudo mv $DOCKER_DAEMON_JSON_BACKUP_FILE $DOCKER_DAEMON_JSON_FILE + else + sudo rm $DOCKER_DAEMON_JSON_FILE + fi + + echo "Restart docker" + sudo systemctl daemon-reload + sudo systemctl start docker + + echo "New docker storage location" + docker info | grep "Docker Root Dir" +} + +# Saves the container list in folder named CONTAINER_LISTS_FOLDER +function save_container_list { + # Save text files generated in TEMPDIR + echo + echo "=====================================================================" + echo "Publish container list into pipeline artifacts" + echo "=====================================================================" + echo + + mkdir -pv "$OUTPUT_FOLDER/CONTAINER_LISTS_FOLDER" + cp "$TEMPDIR"/$file_name_prefix-*$file_ext "$OUTPUT_FOLDER"/CONTAINER_LISTS_FOLDER +} + +# Tests golden container +function test_golden_container { + local container_type=$1 + local container_image_name=$2 + + echo + echo "=====================================================================" + echo "Test container $container_image_name" + echo "=====================================================================" + echo + + "$ROOT_FOLDER/pipelines/test-golden-image-pipeline/test-source-artifacts/$container_type/TestRunner.sh" \ + -n "$container_image_name" \ + -o "$PWD" +} + +function test_distroless_container { + local test_dir_name=$1 + local builder_image=$2 + local container_image_name=$3 + + echo + echo "=====================================================================" + echo "Test container $container_image_name" + echo "=====================================================================" + echo + + "$ROOT_FOLDER/pipelines/test-golden-image-pipeline/test-source-artifacts/$test_dir_name/TestRunner.sh" \ + -b "$builder_image" \ + -n "$container_image_name" \ + -o "$PWD" +} + +# Publishes the given golden container to azure container registry +function publish_container { + local container_name=$1 + echo + echo "=====================================================================" + echo "Publish container $container_name" + echo "=====================================================================" + echo + + previous_login="none" + OLDIFS=$IFS + IFS='.' + read -ra name_parts <<< "$container_name" + IFS=$OLDIFS + container_registry="${name_parts[0]}" + + if [[ "$previous_login" != "$container_registry" ]]; then + echo " -> login into ACR $container_registry" + az acr login --name "$container_registry" + previous_login=$container_registry + fi + + docker image push "$container_name" + echo +} + +# Checks if $GOLDEN_CONTAINER_IMAGE is an HCI image by looking at the config file. +# Assigns a boolean to the out variables. +# The caller must define ROOT_FOLDER and GOLDEN_CONTAINER_IMAGE. +function checkIfHciImage { + local __containerImageName=$1 # [out parameter] + local isHciImage=false + ACR_MAPPING_CONFIG_FILE="$ROOT_FOLDER/pipelines/publish-containers/common/configuration/acrRepoMapping.json" + marinerHciGoldenImagesArray=$(jq ".MarinerHciGoldenImages[]" "$ACR_MAPPING_CONFIG_FILE" | tr -d \") + for marinerHciGoldenImage in $marinerHciGoldenImagesArray; do + if [[ $marinerHciGoldenImage == "$GOLDEN_CONTAINER_IMAGE" ]]; then + isHciImage=true + break + fi + done + eval $__containerImageName=$isHciImage +} + +# get registry prefix (if any) +# Assigns a string to the out variables. +# The caller must define ROOT_FOLDER +function getRegistryPrefix { + local container_name=$1 + local publishingLevel=$2 + local gitBranch=$3 + local __registryPrefix=$4 # [out parameter] + local prefix="" + + local git_branch_json="" + local acr_repo_mapping_json="" + local image_json="" + + ACR_MAPPING_CONFIG_FILE="$ROOT_FOLDER/pipelines/publish-containers/common/configuration/acrRepoMapping.json" + eval $__registryPrefix=$prefix + + git_branch_json=$(jq ".gitBranches[]|select(.gitBranch == \"$gitBranch\")" "$ACR_MAPPING_CONFIG_FILE") + if [[ -z $git_branch_json ]]; then + echo "No branch tag '$gitBranch' in json ($ACR_MAPPING_CONFIG_FILE)" + return + fi + + acr_repo_mapping_json=$(echo $git_branch_json | jq ".acrRepoMapping[]|select(.publishingLevel == \"$publishingLevel\")") + if [[ -z $acr_repo_mapping_json ]]; then + echo "No publishing level '$publishingLevel' for branch '$gitBranch' in json ($ACR_MAPPING_CONFIG_FILE)" + return + fi + + image_json=$(echo $acr_repo_mapping_json | jq ".images[]|select(.name == \"$container_name\")") + if [[ -z $image_json ]]; then + echo "No container named '$container_name' for publishing level '$publishingLevel' for branch '$gitBranch' in json ($ACR_MAPPING_CONFIG_FILE)" + return + fi + + prefix=$(echo $image_json | jq .repoPrefix | tr -d \") + # reset registry prefix to "" if it is not defined in json (jq return 'null') + if [[ $prefix == "null" ]]; then + prefix="" + echo "No registry prefix for '$container_name' branch '$gitBranch' publishing level '$publishingLevel'" + else + echo "Registry prefix '$prefix' for '$container_name' branch '$gitBranch' publishing level '$publishingLevel'" + fi + + eval $__registryPrefix=$prefix +} \ No newline at end of file diff --git a/.pipelines/containerSourceData/sriovnetworkdeviceplugin/Dockerfile-sriov-network-device-plugin b/.pipelines/containerSourceData/sriovnetworkdeviceplugin/Dockerfile-sriov-network-device-plugin new file mode 100644 index 00000000000..b6e292e034e --- /dev/null +++ b/.pipelines/containerSourceData/sriovnetworkdeviceplugin/Dockerfile-sriov-network-device-plugin @@ -0,0 +1,15 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +RUN mkdir -p /usr/src/sriov-network-device-plugin/bin \ + && cp /usr/bin/sriovdp /usr/src/sriov-network-device-plugin/bin/ \ + && cp /usr/bin/sriov-network-device-plugin-entrypoint.sh /entrypoint.sh \ + && cp /usr/share/sriov-network-device-plugin/ddptool-1.0.1.12.tar.gz /ddptool.tar.gz + +ENTRYPOINT [ "/entrypoint.sh" ] diff --git a/.pipelines/containerSourceData/sriovnetworkdeviceplugin/sriovnetworkdeviceplugin.pkg b/.pipelines/containerSourceData/sriovnetworkdeviceplugin/sriovnetworkdeviceplugin.pkg new file mode 100644 index 00000000000..ea8f51850de --- /dev/null +++ b/.pipelines/containerSourceData/sriovnetworkdeviceplugin/sriovnetworkdeviceplugin.pkg @@ -0,0 +1,2 @@ +ca-certificates +sriov-network-device-plugin diff --git a/.pipelines/containerSourceData/telegraf/Dockerfile-Telegraf b/.pipelines/containerSourceData/telegraf/Dockerfile-Telegraf new file mode 100644 index 00000000000..fe8668d9107 --- /dev/null +++ b/.pipelines/containerSourceData/telegraf/Dockerfile-Telegraf @@ -0,0 +1,14 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# basic smoke test +RUN telegraf --help + +# set default command for the container +CMD ["telegraf"] diff --git a/.pipelines/containerSourceData/telegraf/telegraf.pkg b/.pipelines/containerSourceData/telegraf/telegraf.pkg new file mode 100644 index 00000000000..b4ee3b5870c --- /dev/null +++ b/.pipelines/containerSourceData/telegraf/telegraf.pkg @@ -0,0 +1,2 @@ +ca-certificates +telegraf diff --git a/.pipelines/containerSourceData/tensorflow/Dockerfile-Tensorflow b/.pipelines/containerSourceData/tensorflow/Dockerfile-Tensorflow new file mode 100644 index 00000000000..4e962ad050e --- /dev/null +++ b/.pipelines/containerSourceData/tensorflow/Dockerfile-Tensorflow @@ -0,0 +1,27 @@ +# Copyright 2019 The TensorFlow Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============================================================================ + +ARG BASE_IMAGE + +FROM $BASE_IMAGE + +@INCLUDE_MAIN_RUN_INSTRUCTION@ + +# Some TF tools expect a "python" binary +RUN ln -s /usr/bin/python3 /usr/bin/python +ENV LANG C.UTF-8 + +COPY bashrc /etc/bash.bashrc +RUN chmod a+rwx /etc/bash.bashrc diff --git a/.pipelines/containerSourceData/tensorflow/configuration-files/bashrc b/.pipelines/containerSourceData/tensorflow/configuration-files/bashrc new file mode 100644 index 00000000000..643289e24ef --- /dev/null +++ b/.pipelines/containerSourceData/tensorflow/configuration-files/bashrc @@ -0,0 +1,53 @@ +# Copyright 2018 The TensorFlow Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# ============================================================================== + +# If not running interactively, don't do anything +[ -z "$PS1" ] && return + +export PS1="\[\e[31m\]tf-docker\[\e[m\] \[\e[33m\]\w\[\e[m\] > " +export TERM=xterm-256color +alias grep="grep --color=auto" +alias ls="ls --color=auto" + +echo -e "\e[1;31m" +cat<&2 + echo "ERROR: cache RPMs archive '${{ inputCacheArtifact.rpmsTarball }}' not found!" >&2 exit 1 fi sudo make -C "${{ parameters.buildRepoRoot }}/toolkit" hydrate-cached-rpms CACHED_PACKAGES_ARCHIVE="$rpms_archive" - displayName: "Populate RPMs cache" + displayName: "Populate cache RPMs" - script: | if [[ ${{ parameters.isDeltaBuild }} == "true" ]]; then @@ -219,7 +222,18 @@ steps: displayName: "Build packages" - ${{ if parameters.outputArtifactsFolder }}: - - ${{ if parameters.rpmsTarballName }}: + - ${{ if parameters.outputRPMsCacheTarballName }}: + - script: | + sudo make -C "${{ parameters.buildRepoRoot }}/toolkit" compress-cached-rpms + displayName: "Compress cached RPMs" + + - bash: | + published_artifacts_dir="${{ parameters.outputArtifactsFolder }}/${{ parameters.outputArtifactsPackagesSubfolder }}" + mkdir -p "$published_artifacts_dir" + cp "${{ parameters.buildRepoRoot }}"/out/cache.tar.gz "$published_artifacts_dir/${{ parameters.outputRPMsCacheTarballName }}" + displayName: "Copy cached RPMs for publishing" + + - ${{ if parameters.outputRPMsTarballName }}: - script: | sudo make -C "${{ parameters.buildRepoRoot }}/toolkit" compress-rpms displayName: "Compress RPMs" @@ -227,10 +241,10 @@ steps: - bash: | published_artifacts_dir="${{ parameters.outputArtifactsFolder }}/${{ parameters.outputArtifactsPackagesSubfolder }}" mkdir -p "$published_artifacts_dir" - cp "${{ parameters.buildRepoRoot }}"/out/rpms.tar.gz "$published_artifacts_dir/${{ parameters.rpmsTarballName }}" + cp "${{ parameters.buildRepoRoot }}"/out/rpms.tar.gz "$published_artifacts_dir/${{ parameters.outputRPMsTarballName }}" displayName: "Copy RPMs for publishing" - - ${{ if parameters.srpmsTarballName }}: + - ${{ if parameters.outputSRPMsTarballName }}: - script: | sudo make -C "${{ parameters.buildRepoRoot }}/toolkit" compress-srpms displayName: "Compress SRPMs" @@ -238,7 +252,7 @@ steps: - bash: | published_artifacts_dir="${{ parameters.outputArtifactsFolder }}/${{ parameters.outputArtifactsPackagesSubfolder }}" mkdir -p "$published_artifacts_dir" - cp "${{ parameters.buildRepoRoot }}"/out/srpms.tar.gz "$published_artifacts_dir/${{ parameters.srpmsTarballName }}" + cp "${{ parameters.buildRepoRoot }}"/out/srpms.tar.gz "$published_artifacts_dir/${{ parameters.outputSRPMsTarballName }}" displayName: "Copy SRPMs for publishing" - ${{ if parameters.publishLogs }}: diff --git a/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec b/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec index f3ccf139838..7e24566a363 100644 --- a/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec +++ b/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec @@ -9,7 +9,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for Azure Name: kernel-azure-signed-%{buildarch} -Version: 5.15.145.2 +Version: 5.15.148.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -153,6 +153,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Tue Jan 30 2024 CBL-Mariner Servicing Account - 5.15.148.1-1 +- Auto-upgrade to 5.15.148.1 + +* Thu Jan 25 2024 CBL-Mariner Servicing Account - 5.15.147.1-1 +- Auto-upgrade to 5.15.147.1 + * Tue Jan 16 2024 Gary Swalling - 5.15.145.2-1 - Update to 5.15.145.2 diff --git a/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec b/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec index c8afee3c7a0..3acb15c61b7 100644 --- a/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec +++ b/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec @@ -4,7 +4,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for HCI Name: kernel-hci-signed-%{buildarch} -Version: 5.15.145.2 +Version: 5.15.148.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -149,6 +149,18 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Tue Jan 30 2024 CBL-Mariner Servicing Account - 5.15.148.1-1 +- Auto-upgrade to 5.15.148.1 + +* Thu Jan 25 2024 CBL-Mariner Servicing Account - 5.15.147.1-1 +- Auto-upgrade to 5.15.147.1 + +* Thu Jan 25 2024 Vince Perri - 5.15.145.2-3 +- Bump release to match kernel-hci + +* Mon Jan 22 2024 Vince Perri - 5.15.145.2-2 +- Bump release to match kernel + * Tue Jan 16 2024 Gary Swalling - 5.15.145.2-1 - Update to 5.15.145.2 diff --git a/SPECS-SIGNED/kernel-mos-signed/kernel-mos-signed.spec b/SPECS-SIGNED/kernel-mos-signed/kernel-mos-signed.spec index c046a0d5eab..a34947f29ec 100644 --- a/SPECS-SIGNED/kernel-mos-signed/kernel-mos-signed.spec +++ b/SPECS-SIGNED/kernel-mos-signed/kernel-mos-signed.spec @@ -4,7 +4,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for MOS systems Name: kernel-mos-signed-%{buildarch} -Version: 5.15.145.2 +Version: 5.15.148.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -150,6 +150,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Wed Jan 31 2024 Gary Swalling - 5.15.148.1-1 +- Update to 5.15.148.1 + * Tue Jan 16 2024 Gary Swalling - 5.15.145.2-1 - Update to 5.15.145.2 diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index 2ad0a3a8e3f..794702223f9 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -9,7 +9,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} -Version: 5.15.145.2 +Version: 5.15.148.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -153,6 +153,18 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Tue Jan 30 2024 CBL-Mariner Servicing Account - 5.15.148.1-1 +- Auto-upgrade to 5.15.148.1 + +* Thu Jan 25 2024 CBL-Mariner Servicing Account - 5.15.147.1-1 +- Auto-upgrade to 5.15.147.1 + +* Thu Jan 18 2024 Rachel Menge - 5.15.145.2-3 +- Bump release to match kernel + +* Wed Jan 17 2024 Pawel Winogrodzki - 5.15.145.2-2 +- Bump release to match kernel-headers. + * Tue Jan 16 2024 Gary Swalling - 5.15.145.2-1 - Update to 5.15.145.2 diff --git a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md index 78814fe4149..1e2332fb457 100644 --- a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md +++ b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md @@ -5,7 +5,7 @@ The CBL-Mariner SPEC files originated from a variety of sources with varying lic | CentOS | [MIT](https://www.centos.org/legal/#licensing-policy) | crash-ptdump-command
delve
fstrm
nodejs-nodemon
rhnlib
rt-setup
rt-tests
rtctl
tuned | | Ceph source | [LGPL2.1](https://github.com/ceph/ceph/blob/master/COPYING-LGPL2.1) | ceph | | Debian | [MIT](https://opensource.org/licenses/MIT) | prometheus-process-exporter | -| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | a52dec
abseil-cpp
accountsservice
acpica-tools
acpid
adcli
adobe-mappings-cmap
adobe-mappings-pdf
advancecomp
adwaita-icon-theme
afflib
aide
alsa-firmware
alsa-plugins
amtk
amtterm
annobin
ansible-freeipa
archivemount
argparse-manpage
arptables
arpwatch
asio
aspell
aspell-en
at
at-spi2-atk
at-spi2-core
atf
atk
atop
attr
audiofile
augeas
authbind
authd
authselect
autoconf213
avahi
babeltrace
babeltrace2
babl
baekmuk-ttf-fonts
bats
bcache-tools
biosdevname
blosc
bluez
bmake
bogofilter
bolt
boom-boot
booth
botan2
breezy
brotli
buildah
busybox
bwidget
byacc
ca-certificates
cachefilesd
cairomm
calamares
capstone
catatonit
catch
catch1
cdrdao
celt051
cereal
certmonger
cfitsio
cgdcbxd
chan
CharLS
checkpolicy
checksec
chrony
cim-schema
cjkuni-uming-fonts
cjose
cldr-emoji-annotation
clucene
clutter
clutter-gst3
clutter-gtk
cmocka
cogl
collectd
colm
color-filesystem
colord
colorize
compat-lua
compiler-rt
conda
conmon
conntrack-tools
console-setup
container-exception-logger
containernetworking-plugins
convmv
corosync
corosync-qdevice
cpp-hocon
cppcheck
cpprest
cpptest
cpuid
criu
crypto-policies
cryptsetup
cscope
ctags
CUnit
cups
custodia
Cython
dbus-c++
dbus-python
dbxtool
dconf
dcraw
debootstrap
deltarpm
desktop-file-utils
device-mapper-persistent-data
dietlibc
diffstat
ding-libs
discount
distribution-gpg-keys
dleyna-connector-dbus
dleyna-core
dmraid
dnf
dnf-plugins-core
docbook-dtds
docbook-simple
docbook-slides
docbook-style-dsssl
docbook-utils
docbook2X
docbook5-schemas
docbook5-style-xsl
dogtail
dos2unix
dotconf
double-conversion
dovecot
dpdk
dpkg
driverctl
dropwatch
drpm
dumpet
dvd+rw-tools
dwarves
dwz
dyninst
ebtables
edac-utils
edk2
efax
efi-rpm-macros
egl-wayland
eglexternalplatform
elinks
enca
enchant
enchant2
enscript
environment-modules
evemu
execstack
exempi
exiv2
extra-cmake-modules
fabtests
facter
fakechroot
fakeroot
fapolicyd
fdk-aac-free
fdupes
fence-virt
fetchmail
fftw
filebench
fio
fipscheck
firewalld
fish
flac
flatbuffers
flite
fltk
fmt
fontawesome-fonts
fontpackages
fonts-rpm-macros
foomatic-db
freeglut
freeipmi
freeradius
freetds
freexl
fribidi
fros
frr
fsverity-utils
fuse-overlayfs
fuse-sshfs
fuse-zip
fuse3
future
fxload
gavl
gconf-editor
GConf2
gcovr
gcr
gdal
gdisk
gdk-pixbuf2
generic-logos
genwqe-tools
geoclue2
GeoIP
GeoIP-GeoLite-data
geolite2
geos
gfs2-utils
ghc-srpm-macros
giflib
gl-manpages
glew
glm
glog
glusterfs
gnome-desktop-testing
gnome-doc-utils
gnome-icon-theme
gnome-keyring
gnu-efi
go-rpm-macros
gom
google-api-python-client
google-crosextra-caladea-fonts
google-crosextra-carlito-fonts
google-guice
google-noto-cjk-fonts
google-noto-emoji-fonts
google-roboto-slab-fonts
gphoto2
gpm
gpsbabel
graphene
graphite2
graphviz
grubby
gsettings-desktop-schemas
gsl
gsm
gspell
gssdp
gssntlmssp
gstreamer1
gstreamer1-plugins-base
gtk-vnc
gtk2
gtk3
gtkspell
gupnp
gupnp-av
gupnp-dlna
gupnp-igd
hardening-check
hdf
hdf5
heimdal
help2man
hexedit
hicolor-icon-theme
hiera
highlight
hivex
hostname
hping3
hsakmt
htop
hunspell
hunspell-af
hunspell-ar
hunspell-as
hunspell-ast
hunspell-az
hunspell-be
hunspell-bg
hunspell-bn
hunspell-br
hunspell-ca
hunspell-cop
hunspell-csb
hunspell-cv
hunspell-cy
hunspell-da
hunspell-de
hunspell-dsb
hunspell-el
hunspell-en
hunspell-eo
hunspell-es
hunspell-et
hunspell-eu
hunspell-fa
hunspell-fj
hunspell-fo
hunspell-fr
hunspell-fur
hunspell-fy
hunspell-ga
hunspell-gd
hunspell-gl
hunspell-grc
hunspell-gu
hunspell-gv
hunspell-haw
hunspell-hi
hunspell-hil
hunspell-hr
hunspell-hsb
hunspell-ht
hunspell-hu
hunspell-hy
hunspell-ia
hunspell-id
hunspell-is
hunspell-it
hunspell-kk
hunspell-km
hunspell-kn
hunspell-ko
hunspell-ku
hunspell-ky
hunspell-la
hunspell-lb
hunspell-ln
hunspell-mai
hunspell-mg
hunspell-mi
hunspell-mk
hunspell-ml
hunspell-mn
hunspell-mos
hunspell-mr
hunspell-ms
hunspell-mt
hunspell-nds
hunspell-ne
hunspell-nl
hunspell-no
hunspell-nr
hunspell-nso
hunspell-ny
hunspell-om
hunspell-or
hunspell-pa
hunspell-pl
hunspell-pt
hunspell-quh
hunspell-ro
hunspell-ru
hunspell-rw
hunspell-se
hunspell-shs
hunspell-si
hunspell-sk
hunspell-sl
hunspell-smj
hunspell-so
hunspell-sq
hunspell-sr
hunspell-sv
hunspell-sw
hunspell-ta
hunspell-te
hunspell-tet
hunspell-th
hunspell-tk
hunspell-tl
hunspell-tn
hunspell-tpi
hunspell-ts
hunspell-uk
hunspell-uz
hunspell-ve
hunspell-vi
hunspell-wa
hunspell-xh
hunspell-yi
hwdata
hwloc
hyperscan
hyperv-daemons
hyphen
hyphen-as
hyphen-bg
hyphen-bn
hyphen-ca
hyphen-da
hyphen-de
hyphen-el
hyphen-es
hyphen-fa
hyphen-fo
hyphen-fr
hyphen-ga
hyphen-gl
hyphen-grc
hyphen-gu
hyphen-hi
hyphen-hsb
hyphen-hu
hyphen-ia
hyphen-id
hyphen-is
hyphen-it
hyphen-kn
hyphen-ku
hyphen-lt
hyphen-mi
hyphen-ml
hyphen-mn
hyphen-mr
hyphen-nl
hyphen-or
hyphen-pa
hyphen-pl
hyphen-pt
hyphen-ro
hyphen-ru
hyphen-sa
hyphen-sk
hyphen-sl
hyphen-sv
hyphen-ta
hyphen-te
hyphen-tk
hyphen-uk
ibus
ibus-chewing
ibus-hangul
ibus-kkc
ibus-libzhuyin
ibus-m17n
ibus-rawcode
ibus-sayura
ibus-table
ibus-table-chinese
icc-profiles-openicc
icon-naming-utils
icoutils
iftop
iio-sensor-proxy
ilmbase
im-chooser
imaptest
imsettings
indent
infinipath-psm
inih
iniparser
intel-cmt-cat
intel-ipsec-mb
ioping
IP2Location
ipa-pgothic-fonts
ipcalc
ipmitool
iprutils
iptraf-ng
iptstate
irssi
iscsi-initiator-utils
isns-utils
iso-codes
isomd5sum
iw
iwd
jabberpy
jasper
javapackages-bootstrap
javapackages-tools
jbigkit
jdom2
jemalloc
jfsutils
jimtcl
jose
js-jquery
jsoncpp
Judy
kata-containers
kde-filesystem
kde-settings
kexec-tools
keybinder3
keycloak-httpd-client-install
kf5
kf5-kconfig
kf5-kcoreaddons
kf5-ki18n
kf5-kwidgetsaddons
kpmcore
kronosnet
ksh
kyotocabinet
kyua
ladspa
lame
langtable
lapack
lasso
latencytop
lato-fonts
lcms2
lcov
ldns
leatherman
ledmon
lensfun
leveldb
lftp
libabw
libaec
libao
libappstream-glib
libart_lgpl
libasyncns
libatasmart
libavc1394
libblockdev
libbpf
libbsd
libburn
libbytesize
libcacard
libcanberra
libcdio
libcdio-paranoia
libcdr
libcgroup
libchewing
libcli
libcmis
libcmpiutil
libcomps
libcroco
libdaemon
libdap
libdatrie
libdazzle
libdbi
libdbi-drivers
libdbusmenu
libdc1394
libdeflate
libdmx
libdnf
libdrm
libdvdnav
libdvdread
libdwarf
libeasyfc
libecap
libecb
libell
libEMF
libeot
libepoxy
libepubgen
libesmtp
libetonyek
libev
libevdev
libewf
libexif
libexttextcat
libfabric
libfontenc
libfreehand
libftdi
libgadu
libgdither
libgee
libgee06
libgeotiff
libgexiv2
libgit2
libgit2-glib
libglade2
libglvnd
libgovirt
libgphoto2
libgsf
libgta
libguestfs
libgusb
libgxim
libgxps
libhangul
libhugetlbfs
libibcommon
libical
libICE
libicns
libid3tag
libIDL
libidn2
libiec61883
libieee1284
libimobiledevice
libindicator
libinput
libiodbc
libipt
libiptcdata
libiscsi
libisoburn
libisofs
libjcat
libkcapi
libkeepalive
libkkc
libkkc-data
libkml
liblangtag
libldb
libldm
liblerc
liblockfile
liblognorm
liblouis
liblqr-1
liblzf
libmad
libmediaart
libmicrohttpd
libmikmod
libmodman
libmodplug
libmodulemd1
libmpcdec
libmspub
libmtp
libmusicbrainz5
libmwaw
libnbd
libnet
libnetfilter_log
libnfs
libnotify
libntlm
libnumbertext
liboauth
libodfgen
libofa
libogg
liboggz
liboil
libomxil-bellagio
libopenraw
liboping
libosinfo
libotf
libotr
libpagemaker
libpaper
libpciaccess
libpeas
libpfm
libpinyin
libplist
libpmemobj-cpp
libpng12
libpng15
libproxy
libpsm2
libpwquality
libqb
libqxp
libraqm
LibRaw
libraw1394
libreport
libreswan
librevenge
librsvg2
librx
libsamplerate
libsass
libsecret
libsemanage
libsigc++20
libsigsegv
libslirp
libSM
libsmbios
libsmi
libsndfile
libsodium
libspiro
libsrtp
libssh
libstaroffice
libstemmer
libstoragemgmt
libtdb
libteam
libtevent
libthai
libtnc
libtomcrypt
libtommath
libtraceevent
libtranslit
libucil
libunicap
libuninameslist
liburing
libusbmuxd
libuser
libutempter
libvarlink
libverto
libvirt-dbus
libvirt-glib
libvirt-java
libvirt-python
libvisio
libvisual
libvoikko
libvorbis
libvpx
libwacom
libwnck3
libwpd
libwpe
libwpg
libwps
libwvstreams
libX11
libXau
libXaw
libxcb
libXcomposite
libxcrypt
libXcursor
libXdamage
libXdmcp
libXext
libxfce4util
libXfixes
libXfont2
libXft
libXi
libXinerama
libxkbcommon
libxkbfile
libxklavier
libxmlb
libXmu
libXpm
libXrandr
libXrender
libXres
libXScrnSaver
libxshmfence
libXt
libXtst
libXv
libXxf86vm
libyami
libyang
libyubikey
libzip
libzmf
lilv
linuxconsoletools
linuxptp
lksctp-tools
lldpd
lockdev
logwatch
lpsolve
lrzsz
lua
lua-expat
lua-filesystem
lua-json
lua-lpeg
lua-lunit
lua-rpm-macros
lua-term
luajit
luksmeta
lutok
lv2
lzip
lzop
m17n-db
m17n-lib
mac-robber
mailcap
mailx
malaga
malaga-suomi-voikko
mallard-rng
man-pages-cs
man-pages-es
man-pages-it
man-pages-ja
man-pages-ko
man-pages-pl
man-pages-ru
man-pages-zh-CN
mariadb-connector-c
mariadb-connector-odbc
marisa
maven-compiler-plugin
maven-jar-plugin
maven-resolver
maven-resources-plugin
maven-surefire
maven-wagon
mcelog
mcpp
mcstrans
mdadm
mdds
meanwhile
mecab
mecab-ipadic
media-player-info
memcached
memkind
mesa
mesa-libGLU
metis
microcode_ctl
microdnf
minicom
minizip
mksh
mobile-broadband-provider-info
mock
mock-core-configs
mod_auth_gssapi
mod_auth_mellon
mod_auth_openidc
mod_authnz_pam
mod_fcgid
mod_http2
mod_intercept_form_submit
mod_lookup_identity
mod_md
mod_security
mod_security_crs
mod_wsgi
mokutil
moreutils
mpage
mrtg
mstflint
mt-st
mtdev
mtools
mtr
mtx
multilib-rpm-config
munge
mutt
mythes
mythes-bg
mythes-ca
mythes-cs
mythes-da
mythes-de
mythes-el
mythes-en
mythes-eo
mythes-es
mythes-fr
mythes-ga
mythes-hu
mythes-mi
mythes-ne
mythes-nl
mythes-pl
mythes-pt
mythes-ro
mythes-ru
mythes-sk
mythes-sl
mythes-sv
mythes-uk
nbd
nbdkit
neon
netavark
netcdf
netcf
netlabel_tools
netpbm
netsniff-ng
nfs4-acl-tools
nftables
nilfs-utils
nkf
nload
nlopt
nodejs-packaging
nss-pam-ldapd
nss_nis
nss_wrapper
ntfs-3g
ntfs-3g-system-compression
numad
numatop
numpy
nvmetcli
nvml
oath-toolkit
ocaml
ocaml-alcotest
ocaml-astring
ocaml-base
ocaml-bigarray-compat
ocaml-bisect-ppx
ocaml-calendar
ocaml-camlp5
ocaml-camomile
ocaml-cinaps
ocaml-cmdliner
ocaml-compiler-libs-janestreet
ocaml-cppo
ocaml-csexp
ocaml-csv
ocaml-ctypes
ocaml-curses
ocaml-dune
ocaml-extlib
ocaml-fileutils
ocaml-findlib
ocaml-fmt
ocaml-fpath
ocaml-gettext
ocaml-integers
ocaml-libvirt
ocaml-luv
ocaml-lwt
ocaml-markup
ocaml-migrate-parsetree
ocaml-mmap
ocaml-num
ocaml-ocamlbuild
ocaml-ocplib-endian
ocaml-ounit
ocaml-parsexp
ocaml-ppx-derivers
ocaml-ppxlib
ocaml-re
ocaml-react
ocaml-result
ocaml-seq
ocaml-sexplib
ocaml-sexplib0
ocaml-stdio
ocaml-topkg
ocaml-tyxml
ocaml-uuidm
ocaml-uutf
ocaml-xml-light
ocaml-zarith
ocl-icd
oddjob
ogdi
omping
opa
opal
open-vm-tools
openblas
opencc
opencl-filesystem
opencl-headers
opencryptoki
opencsd
opendnssec
OpenEXR
openjade
openjpeg2
openmpi
openobex
openoffice-lv
openrdate
opensc
openslp
opensm
opensp
openssl
openssl-ibmpkcs11
openssl-pkcs11
openwsman
optipng
opus
opusfile
orangefs
ORBit2
orc
os-prober
osinfo-db
osinfo-db-tools
overpass-fonts
p11-kit
p7zip
pacemaker
pacrunner
pakchois
pam_krb5
pam_wrapper
papi
paps
parallel
patchelf
patchutils
pbzip2
pcp
pcsc-lite
pcsc-lite-ccid
PEGTL
perl
perl-Algorithm-C3
perl-Algorithm-Diff
perl-Alien-Build
perl-Alien-pkgconf
perl-AnyEvent
perl-AnyEvent-AIO
perl-AnyEvent-BDB
perl-App-cpanminus
perl-App-FatPacker
perl-AppConfig
perl-Archive-Extract
perl-Archive-Zip
perl-Authen-SASL
perl-B-Debug
perl-B-Hooks-EndOfScope
perl-B-Hooks-OP-Check
perl-B-Keywords
perl-B-Lint
perl-bareword-filehandles
perl-BDB
perl-Bit-Vector
perl-boolean
perl-Browser-Open
perl-BSD-Resource
perl-Business-ISBN
perl-Business-ISBN-Data
perl-Bytes-Random-Secure
perl-Capture-Tiny
perl-Carp-Clan
perl-CBOR-XS
perl-Class-Accessor
perl-Class-C3
perl-Class-C3-XS
perl-Class-Data-Inheritable
perl-Class-Factory-Util
perl-Class-Inspector
perl-Class-ISA
perl-Class-Load
perl-Class-Load-XS
perl-Class-Method-Modifiers
perl-Class-Singleton
perl-Class-Tiny
perl-Class-XSAccessor
perl-Clone
perl-Color-ANSI-Util
perl-Color-RGB-Util
perl-ColorThemeBase-Static
perl-ColorThemeRole-ANSI
perl-ColorThemes-Standard
perl-ColorThemeUtil-ANSI
perl-Compress-Bzip2
perl-Compress-LZF
perl-Compress-Raw-Lzma
perl-Config-AutoConf
perl-Config-INI
perl-Config-INI-Reader-Multiline
perl-Config-IniFiles
perl-Config-Simple
perl-Config-Tiny
perl-Const-Fast
perl-Convert-ASN1
perl-Convert-Bencode
perl-Coro
perl-Coro-Multicore
perl-CPAN-Changes
perl-CPAN-DistnameInfo
perl-CPAN-Meta-Check
perl-Cpanel-JSON-XS
perl-Crypt-CBC
perl-Crypt-DES
perl-Crypt-IDEA
perl-Crypt-OpenSSL-Bignum
perl-Crypt-OpenSSL-Guess
perl-Crypt-OpenSSL-Random
perl-Crypt-OpenSSL-RSA
perl-Crypt-PasswdMD5
perl-Crypt-Random-Seed
perl-CSS-Tiny
perl-Data-Dump
perl-Data-Munge
perl-Data-OptList
perl-Data-Peek
perl-Data-Section
perl-Data-UUID
perl-Date-Calc
perl-Date-ISO8601
perl-Date-Manip
perl-DateTime
perl-DateTime-Format-Builder
perl-DateTime-Format-DateParse
perl-DateTime-Format-HTTP
perl-DateTime-Format-IBeat
perl-DateTime-Format-ISO8601
perl-DateTime-Format-Mail
perl-DateTime-Format-Strptime
perl-DateTime-Locale
perl-DateTime-TimeZone
perl-DateTime-TimeZone-SystemV
perl-DateTime-TimeZone-Tzfile
perl-DBD-MySQL
perl-Devel-CallChecker
perl-Devel-Caller
perl-Devel-CheckBin
perl-Devel-CheckLib
perl-Devel-Cycle
perl-Devel-EnforceEncapsulation
perl-Devel-GlobalDestruction
perl-Devel-GlobalDestruction-XS
perl-Devel-Hide
perl-Devel-Leak
perl-Devel-LexAlias
perl-Devel-Size
perl-Devel-StackTrace
perl-Devel-Symdump
perl-Digest-BubbleBabble
perl-Digest-CRC
perl-Digest-HMAC
perl-Digest-SHA1
perl-Dist-CheckConflicts
perl-DynaLoader-Functions
perl-Email-Address
perl-Email-Date-Format
perl-Encode-Detect
perl-Encode-EUCJPASCII
perl-Encode-IMAPUTF7
perl-Encode-Locale
perl-Env-ShellWords
perl-Error
perl-EV
perl-Eval-Closure
perl-Event
perl-Exception-Class
perl-Expect
perl-ExtUtils-Config
perl-ExtUtils-Depends
perl-ExtUtils-Helpers
perl-ExtUtils-InstallPaths
perl-ExtUtils-PkgConfig
perl-FCGI
perl-Fedora-VSP
perl-FFI-CheckLib
perl-File-BaseDir
perl-File-BOM
perl-File-chdir
perl-File-CheckTree
perl-File-Copy-Recursive
perl-File-DesktopEntry
perl-File-Find-Object
perl-File-Find-Object-Rule
perl-File-Find-Rule
perl-File-Find-Rule-Perl
perl-File-Inplace
perl-File-Listing
perl-File-MimeInfo
perl-File-pushd
perl-File-ReadBackwards
perl-File-Remove
perl-File-ShareDir
perl-File-ShareDir-Install
perl-File-Slurp
perl-File-Slurp-Tiny
perl-File-Slurper
perl-File-Type
perl-Font-TTF
perl-FreezeThaw
perl-GD
perl-GD-Barcode
perl-generators
perl-Getopt-ArgvFile
perl-gettext
perl-Graphics-ColorNamesLite-WWW
perl-GSSAPI
perl-Guard
perl-Hook-LexWrap
perl-HTML-Parser
perl-HTML-Tagset
perl-HTML-Tree
perl-HTTP-Cookies
perl-HTTP-Daemon
perl-HTTP-Date
perl-HTTP-Message
perl-HTTP-Negotiate
perl-Image-Base
perl-Image-Info
perl-Image-Xbm
perl-Image-Xpm
perl-Import-Into
perl-Importer
perl-inc-latest
perl-indirect
perl-Inline-Files
perl-IO-AIO
perl-IO-All
perl-IO-CaptureOutput
perl-IO-Compress-Lzma
perl-IO-HTML
perl-IO-Multiplex
perl-IO-SessionData
perl-IO-Socket-INET6
perl-IO-String
perl-IO-stringy
perl-IO-Tty
perl-IPC-Run
perl-IPC-Run3
perl-IPC-System-Simple
perl-JSON
perl-JSON-Color
perl-JSON-MaybeXS
perl-LDAP
perl-libnet
perl-libwww-perl
perl-libxml-perl
perl-Lingua-EN-Inflect
perl-List-MoreUtils-XS
perl-local-lib
perl-Locale-Codes
perl-Locale-Maketext-Gettext
perl-Locale-Msgfmt
perl-Locale-PO
perl-Log-Message
perl-Log-Message-Simple
perl-LWP-MediaTypes
perl-LWP-Protocol-https
perl-Mail-AuthenticationResults
perl-Mail-DKIM
perl-Mail-IMAPTalk
perl-Mail-SPF
perl-MailTools
perl-Math-Int64
perl-Math-Random-ISAAC
perl-MIME-Charset
perl-MIME-Lite
perl-MIME-Types
perl-Mixin-Linewise
perl-MLDBM
perl-Mock-Config
perl-Module-Build-Tiny
perl-Module-CPANfile
perl-Module-Implementation
perl-Module-Install-AuthorRequires
perl-Module-Install-AuthorTests
perl-Module-Install-AutoLicense
perl-Module-Install-GithubMeta
perl-Module-Install-ManifestSkip
perl-Module-Install-ReadmeFromPod
perl-Module-Install-ReadmeMarkdownFromPod
perl-Module-Install-Repository
perl-Module-Install-TestBase
perl-Module-Load-Util
perl-Module-Manifest
perl-Module-Manifest-Skip
perl-Module-Package
perl-Module-Package-Au
perl-Module-Pluggable
perl-Module-Runtime
perl-Module-Signature
perl-Mojolicious
perl-Moo
perl-Mozilla-CA
perl-Mozilla-LDAP
perl-MRO-Compat
perl-multidimensional
perl-namespace-autoclean
perl-namespace-clean
perl-Net-CIDR-Lite
perl-Net-Daemon
perl-Net-DNS
perl-Net-DNS-Resolver-Mock
perl-Net-DNS-Resolver-Programmable
perl-Net-HTTP
perl-Net-IMAP-Simple
perl-Net-IMAP-Simple-SSL
perl-Net-IP
perl-Net-LibIDN2
perl-Net-Patricia
perl-Net-SMTP-SSL
perl-Net-SNMP
perl-Net-Telnet
perl-Newt
perl-NNTPClient
perl-NTLM
perl-Number-Compare
perl-Object-Deadly
perl-Object-HashBase
perl-Package-Anon
perl-Package-Constants
perl-Package-DeprecationManager
perl-Package-Generator
perl-Package-Stash
perl-Package-Stash-XS
perl-PadWalker
perl-Paper-Specs
perl-PAR-Dist
perl-Parallel-Iterator
perl-Params-Classify
perl-Params-Util
perl-Params-Validate
perl-Params-ValidationCompiler
perl-Parse-PMFile
perl-Parse-RecDescent
perl-Parse-Yapp
perl-Path-Tiny
perl-Perl-Critic
perl-Perl-Critic-More
perl-Perl-Destruct-Level
perl-Perl-MinimumVersion
perl-Perl4-CoreLibs
perl-PerlIO-gzip
perl-PerlIO-utf8_strict
perl-PkgConfig-LibPkgConf
perl-Pod-Coverage
perl-Pod-Coverage-TrustPod
perl-Pod-Escapes
perl-Pod-Eventual
perl-Pod-LaTeX
perl-Pod-Markdown
perl-Pod-Parser
perl-Pod-Plainer
perl-Pod-POM
perl-Pod-Spell
perl-PPI
perl-PPI-HTML
perl-PPIx-QuoteLike
perl-PPIx-Regexp
perl-PPIx-Utilities
perl-prefork
perl-Probe-Perl
perl-Razor-Agent
perl-Readonly
perl-Readonly-XS
perl-Ref-Util
perl-Ref-Util-XS
perl-Regexp-Pattern-Perl
perl-Return-MultiLevel
perl-Role-Tiny
perl-Scope-Guard
perl-Scope-Upper
perl-SGMLSpm
perl-SNMP_Session
perl-Socket6
perl-Software-License
perl-Sort-Versions
perl-Specio
perl-Spiffy
perl-strictures
perl-String-CRC32
perl-String-Format
perl-String-ShellQuote
perl-String-Similarity
perl-Sub-Exporter
perl-Sub-Exporter-Progressive
perl-Sub-Identify
perl-Sub-Info
perl-Sub-Install
perl-Sub-Name
perl-Sub-Quote
perl-Sub-Uplevel
perl-SUPER
perl-Switch
perl-Syntax-Highlight-Engine-Kate
perl-Sys-CPU
perl-Sys-MemInfo
perl-Sys-Virt
perl-Taint-Runtime
perl-Task-Weaken
perl-Term-Size-Any
perl-Term-Size-Perl
perl-Term-Table
perl-Term-UI
perl-TermReadKey
perl-Test-Base
perl-Test-ClassAPI
perl-Test-CPAN-Meta
perl-Test-CPAN-Meta-JSON
perl-Test-Deep
perl-Test-Differences
perl-Test-DistManifest
perl-Test-Distribution
perl-Test-EOL
perl-Test-Exception
perl-Test-Exit
perl-Test-FailWarnings
perl-Test-Fatal
perl-Test-File
perl-Test-File-ShareDir
perl-Test-Harness
perl-Test-HasVersion
perl-Test-InDistDir
perl-Test-Inter
perl-Test-LeakTrace
perl-Test-LongString
perl-Test-Manifest
perl-Test-Memory-Cycle
perl-Test-MinimumVersion
perl-Test-MockObject
perl-Test-MockRandom
perl-Test-Needs
perl-Test-NoTabs
perl-Test-NoWarnings
perl-Test-Object
perl-Test-Output
perl-Test-Pod
perl-Test-Pod-Coverage
perl-Test-Portability-Files
perl-Test-Requires
perl-Test-RequiresInternet
perl-Test-Script
perl-Test-Simple
perl-Test-SubCalls
perl-Test-Synopsis
perl-Test-Taint
perl-Test-TrailingSpace
perl-Test-utf8
perl-Test-Vars
perl-Test-Warn
perl-Test-Without-Module
perl-Test2-Plugin-NoWarnings
perl-Test2-Suite
perl-Test2-Tools-Explain
perl-Text-CharWidth
perl-Text-CSV_XS
perl-Text-Diff
perl-Text-Glob
perl-Text-Iconv
perl-Text-Soundex
perl-Text-Unidecode
perl-Text-WrapI18N
perl-Tie-IxHash
perl-Time-Duration
perl-TimeDate
perl-Tree-DAG_Node
perl-Unicode-EastAsianWidth
perl-Unicode-LineBreak
perl-Unicode-Map8
perl-Unicode-String
perl-Unicode-UTF8
perl-UNIVERSAL-can
perl-UNIVERSAL-isa
perl-Unix-Syslog
perl-URI
perl-Variable-Magic
perl-Version-Requirements
perl-WWW-RobotRules
perl-XML-Catalog
perl-XML-DOM
perl-XML-Dumper
perl-XML-Filter-BufferText
perl-XML-Generator
perl-XML-Grove
perl-XML-Handler-YAWriter
perl-XML-LibXML
perl-XML-LibXSLT
perl-XML-NamespaceSupport
perl-XML-Parser-Lite
perl-XML-RegExp
perl-XML-SAX
perl-XML-SAX-Base
perl-XML-SAX-Writer
perl-XML-Simple
perl-XML-TokeParser
perl-XML-TreeBuilder
perl-XML-Twig
perl-XML-Writer
perl-XML-XPath
perl-XML-XPathEngine
perl-XString
perl-YAML-LibYAML
perl-YAML-PP
perl-YAML-Syck
perltidy
pesign
phodav
php
php-pear
php-pecl-zip
physfs
picosat
pinfo
pipewire
pixman
pkcs11-helper
pkgconf
plexus-cipher
plexus-containers
plexus-sec-dispatcher
plotutils
pmdk-convert
pmix
pngcrush
pngnq
po4a
podman
poetry
policycoreutils
polkit-pkla-compat
portreserve
postfix
potrace
powertop
ppp
pps-tools
pptp
priv_wrapper
procmail
prometheus
prometheus-node-exporter
ps_mem
psacct
psutils
ptlib
publicsuffix-list
pugixml
pulseaudio
puppet
pwgen
pyatspi
pybind11
pycairo
pyelftools
pyflakes
pygobject3
PyGreSQL
pykickstart
pylint
pyparted
pyproject-rpm-macros
pyserial
python-absl-py
python-aiodns
python-aiohttp
python-alsa
python-argcomplete
python-astroid
python-astunparse
python-async-generator
python-augeas
python-azure-sdk
python-beautifulsoup4
python-betamax
python-blinker
python-blivet
python-cached_property
python-charset-normalizer
python-cheetah
python-click
python-cmd2
python-colorama
python-CommonMark
python-conda-package-handling
python-configshell
python-cpuinfo
python-cups
python-curio
python-cytoolz
python-d2to1
python-dbus-client-gen
python-dbus-python-client-gen
python-dbus-signature-pyparsing
python-dbusmock
python-ddt
python-debtcollector
python-decorator
python-distlib
python-dmidecode
python-dns
python-dtopt
python-dulwich
python-enchant
python-entrypoints
python-ethtool
python-evdev
python-extras
python-faker
python-fasteners
python-fields
python-filelock
python-fixtures
python-flake8
python-flask
python-flit
python-flit-core
python-fluidity-sm
python-frozendict
python-funcsigs
python-gast
python-genshi
python-google-auth
python-google-auth-oauthlib
python-greenlet
python-gssapi
python-h5py
python-hs-dbus-signature
python-html5lib
python-httplib2
python-humanize
python-hwdata
python-importlib-metadata
python-inotify
python-into-dbus-python
python-IPy
python-iso8601
python-isodate
python-isort
python-itsdangerous
python-junit-xml
python-justbases
python-justbytes
python-jwcrypto
python-jwt
python-kdcproxy
python-kerberos
python-kmod
python-kubernetes
python-lazy-object-proxy
python-ldap
python-linux-procfs
python-lit
python-markdown
python-mccabe
python-memcached
python-mimeparse
python-mock
python-monotonic
python-more-itertools
python-mpmath
python-msal
python-msrestazure
python-mutagen
python-networkx
python-nose2
python-ntlm-auth
python-oauth2client
python-openpyxl
python-openstackdocstheme
python-oslo-i18n
python-oslo-sphinx
python-paramiko
python-pefile
python-pexpect
python-pkgconfig
python-platformdirs
python-pluggy
python-podman-api
python-process-tests
python-productmd
python-ptyprocess
python-pycares
python-pycosat
python-pydbus
python-pymongo
python-PyMySQL
python-pyperclip
python-pyroute2
python-pyrsistent
python-pysocks
python-pytest-benchmark
python-pytest-cov
python-pytest-expect
python-pytest-flake8
python-pytest-forked
python-pytest-mock
python-pytest-relaxed
python-pytest-runner
python-pytest-subtests
python-pytest-timeout
python-pytest-xdist
python-pytoml
python-pyudev
python-pywbem
python-qrcode
python-rdflib
python-recommonmark
python-redis
python-requests-file
python-requests-ftp
python-requests-kerberos
python-requests-mock
python-requests-oauthlib
python-requests-toolbelt
python-requests_ntlm
python-responses
python-retrying
python-rfc3986
python-rpm-generators
python-rpmfluff
python-rtslib
python-ruamel-yaml
python-ruamel-yaml-clib
python-s3transfer
python-schedutils
python-semantic_version
python-should_dsl
python-simpleline
python-slip
python-sniffio
python-soupsieve
python-sphinx
python-sphinx-epytext
python-sphinx-theme-py3doc-enhanced
python-sphinx_rtd_theme
python-sphinxcontrib-apidoc
python-sphinxcontrib-applehelp
python-sphinxcontrib-devhelp
python-sphinxcontrib-htmlhelp
python-sphinxcontrib-httpdomain
python-sphinxcontrib-jsmath
python-sphinxcontrib-qthelp
python-sphinxcontrib-serializinghtml
python-sqlalchemy
python-suds
python-systemd
python-tempita
python-templated-dictionary
python-termcolor
python-testpath
python-testresources
python-testscenarios
python-testtools
python-tidy
python-toml
python-tomli
python-toolz
python-tornado
python-tox
python-tox-current-env
python-tqdm
python-trio
python-typing-extensions
python-uamqp
python-unittest2
python-uritemplate
python-urwid
python-varlink
python-virt-firmware
python-voluptuous
python-waitress
python-webencodings
python-webtest
python-wheel
python-whoosh
python-winrm
python-wrapt
python-xmltodict
python-yubico
python-zipp
python-zmq
python3-mallard-ducktype
python3-pytest-asyncio
python3-typed_ast
pyusb
pywbem
pyxattr
qemu
qhull
qpdf
qperf
qr-code-generator
qt5-qtbase
qt5-qtconnectivity
qt5-qtdeclarative
qt5-qtsensors
qt5-qtserialport
qt5-qtsvg
qt5-qttools
qt5-rpm-macros
quagga
quota
quotatool
radvd
ragel
raptor2
rarian
rasdaemon
rasqal
rcs
rdist
rdma-core
re2
re2c
realmd
rear
recode
redland
resource-agents
rest
rhash
rlwrap
rp-pppoe
rpm-mpi-hooks
rpmdevtools
rpmlint
rtkit
rtl-sdr
ruby-augeas
rubygem-bson
rubygem-coderay
rubygem-diff-lcs
rubygem-flexmock
rubygem-hpricot
rubygem-introspection
rubygem-liquid
rubygem-maruku
rubygem-metaclass
rubygem-mongo
rubygem-mustache
rubygem-mysql2
rubygem-pkg-config
rubygem-rake
rubygem-rake-compiler
rubygem-ronn
rubygem-rouge
rubygem-rspec
rubygem-rspec-expectations
rubygem-rspec-mocks
rubygem-rspec-support
rubygem-thread_order
rusers
rust-cbindgen
samba
sanlock
sassist
satyr
sbc
sblim-cim-client2
sblim-cmpi-base
sblim-cmpi-devel
sblim-cmpi-fsvol
sblim-cmpi-network
sblim-cmpi-nfsv3
sblim-cmpi-nfsv4
sblim-cmpi-params
sblim-cmpi-sysfs
sblim-cmpi-syslog
sblim-indication_helper
sblim-sfcb
sblim-sfcc
sblim-sfcCommon
sblim-testsuite
sblim-wbemcli
scl-utils
scotch
screen
scrub
SDL
SDL2
SDL_sound
sdparm
seabios
secilc
selinux-policy
sendmail
serd
setools
setserial
setuptool
sgabios
sgml-common
sgpio
shared-mime-info
sharutils
sip
sisu
skkdic
sleuthkit
slirp4netns
smartmontools
smc-tools
socket_wrapper
softhsm
sombok
sord
sos
sound-theme-freedesktop
soundtouch
sox
soxr
sparsehash
spausedd
speex
speexdsp
spice-protocol
spice-vdagent
spirv-headers
spirv-tools
splix
squashfs-tools
squid
sratom
sscg
star
startup-notification
stunnel
subscription-manager
suitesparse
SuperLU
supermin
switcheroo-control
symlinks
sympy
sysfsutils
systemd-bootchart
t1lib
t1utils
taglib
tang
targetcli
tbb
tcl-pgtcl
tclx
teckit
telnet
tidy
time
tini
tinycdb
tix
tk
tlog
tmpwatch
tn5250
tofrodos
tokyocabinet
tpm-quote-tools
tpm-tools
tss2
ttembed
ttmkfdir
tuna
twolame
uchardet
uclibc-ng
ucpp
ucs-miscfixed-fonts
ucx
udftools
udica
udisks2
uglify-js
uid_wrapper
unicode-emoji
unicode-ucd
unique3
units
upower
uriparser
urlview
usb_modeswitch
usb_modeswitch-data
usbguard
usbip
usbmuxd
usbredir
usermode
ustr
uthash
uuid
uw-imap
v4l-utils
vhostmd
vino
virglrenderer
virt-p2v
virt-top
virt-what
virt-who
vitess
vmem
volume_key
vorbis-tools
vte291
vulkan-headers
vulkan-loader
watchdog
wavpack
wayland
wayland-protocols
web-assets
webrtc-audio-processing
websocketpp
whois
wireguard-tools
wireless-regdb
wireshark
woff2
wordnet
words
wpebackend-fdo
wsmancli
wvdial
x3270
xapian-core
Xaw3d
xcb-proto
xcb-util
xcb-util-image
xcb-util-keysyms
xcb-util-renderutil
xcb-util-wm
xdelta
xdg-dbus-proxy
xdg-utils
xerces-c
xfconf
xfsdump
xhtml1-dtds
xkeyboard-config
xmlstarlet
xmltoman
xmvn
xorg-x11-apps
xorg-x11-drv-libinput
xorg-x11-font-utils
xorg-x11-fonts
xorg-x11-proto-devel
xorg-x11-server
xorg-x11-server-utils
xorg-x11-util-macros
xorg-x11-utils
xorg-x11-xauth
xorg-x11-xbitmaps
xorg-x11-xinit
xorg-x11-xkb-utils
xorg-x11-xtrans-devel
xrestop
xterm
xxhash
yajl
yaml-cpp
yasm
yelp-tools
yelp-xsl
ykclient
yp-tools
ypbind
ypserv
z3
zenity
zerofree
zfs-fuse
zipper
zopfli
zziplib | +| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | a52dec
abseil-cpp
accountsservice
acpica-tools
acpid
adcli
adobe-mappings-cmap
adobe-mappings-pdf
advancecomp
adwaita-icon-theme
afflib
aide
alsa-firmware
alsa-plugins
amtk
amtterm
annobin
ansible-freeipa
archivemount
argparse-manpage
arptables
arpwatch
asio
aspell
aspell-en
at
at-spi2-atk
at-spi2-core
atf
atk
atop
attr
audiofile
augeas
authbind
authd
authselect
autoconf213
avahi
babeltrace
babeltrace2
babl
baekmuk-ttf-fonts
bats
bcache-tools
biosdevname
blosc
bluez
bmake
bogofilter
bolt
boom-boot
booth
botan2
breezy
brotli
buildah
busybox
bwidget
byacc
ca-certificates
cachefilesd
cairomm
calamares
capstone
catatonit
catch
catch1
cdrdao
celt051
cereal
certmonger
cfitsio
cgdcbxd
chan
CharLS
checkpolicy
checksec
chrony
cim-schema
cjkuni-uming-fonts
cjose
cldr-emoji-annotation
clucene
clutter
clutter-gst3
clutter-gtk
cmocka
cogl
collectd
colm
color-filesystem
colord
colorize
compat-lua
compiler-rt
conda
conmon
conntrack-tools
console-setup
container-exception-logger
containernetworking-plugins
convmv
corosync
corosync-qdevice
cpp-hocon
cppcheck
cpprest
cpptest
cpuid
criu
crypto-policies
cryptsetup
cscope
ctags
CUnit
cups
custodia
Cython
dbus-c++
dbus-python
dbxtool
dconf
dcraw
debootstrap
deltarpm
desktop-file-utils
device-mapper-persistent-data
dietlibc
diffstat
ding-libs
discount
distribution-gpg-keys
dleyna-connector-dbus
dleyna-core
dmraid
dnf
dnf-plugins-core
docbook-dtds
docbook-simple
docbook-slides
docbook-style-dsssl
docbook-utils
docbook2X
docbook5-schemas
docbook5-style-xsl
dogtail
dos2unix
dotconf
double-conversion
dovecot
dpdk
dpkg
driverctl
dropwatch
drpm
dumpet
dvd+rw-tools
dwarves
dwz
dyninst
ebtables
edac-utils
edk2
efax
efi-rpm-macros
egl-wayland
eglexternalplatform
elinks
enca
enchant
enchant2
enscript
environment-modules
evemu
execstack
exempi
exiv2
extra-cmake-modules
fabtests
facter
fakechroot
fakeroot
fapolicyd
fdk-aac-free
fdupes
fence-virt
fetchmail
fftw
filebench
fio
fipscheck
firewalld
fish
flac
flatbuffers
flite
fltk
fmt
fontawesome-fonts
fontpackages
fonts-rpm-macros
foomatic-db
freeglut
freeipmi
freeradius
freetds
freexl
fribidi
fros
frr
fsverity-utils
fuse-overlayfs
fuse-sshfs
fuse-zip
fuse3
future
fxload
gavl
gconf-editor
GConf2
gcovr
gcr
gdal
gdisk
gdk-pixbuf2
generic-logos
genwqe-tools
geoclue2
GeoIP
GeoIP-GeoLite-data
geolite2
geos
gfs2-utils
ghc-srpm-macros
giflib
gl-manpages
glew
glm
glog
glusterfs
gnome-desktop-testing
gnome-doc-utils
gnome-icon-theme
gnome-keyring
gnu-efi
go-rpm-macros
gom
google-api-python-client
google-crosextra-caladea-fonts
google-crosextra-carlito-fonts
google-guice
google-noto-cjk-fonts
google-noto-emoji-fonts
google-roboto-slab-fonts
gphoto2
gpm
gpsbabel
graphene
graphite2
graphviz
grubby
gsettings-desktop-schemas
gsl
gsm
gspell
gssdp
gssntlmssp
gstreamer1
gstreamer1-plugins-base
gtk-vnc
gtk2
gtk3
gtkspell
gupnp
gupnp-av
gupnp-dlna
gupnp-igd
hardening-check
hdf
hdf5
heimdal
help2man
hexedit
hicolor-icon-theme
hiera
highlight
hivex
hostname
hping3
hsakmt
htop
hunspell
hunspell-af
hunspell-ar
hunspell-as
hunspell-ast
hunspell-az
hunspell-be
hunspell-bg
hunspell-bn
hunspell-br
hunspell-ca
hunspell-cop
hunspell-csb
hunspell-cv
hunspell-cy
hunspell-da
hunspell-de
hunspell-dsb
hunspell-el
hunspell-en
hunspell-eo
hunspell-es
hunspell-et
hunspell-eu
hunspell-fa
hunspell-fj
hunspell-fo
hunspell-fr
hunspell-fur
hunspell-fy
hunspell-ga
hunspell-gd
hunspell-gl
hunspell-grc
hunspell-gu
hunspell-gv
hunspell-haw
hunspell-hi
hunspell-hil
hunspell-hr
hunspell-hsb
hunspell-ht
hunspell-hu
hunspell-hy
hunspell-ia
hunspell-id
hunspell-is
hunspell-it
hunspell-kk
hunspell-km
hunspell-kn
hunspell-ko
hunspell-ku
hunspell-ky
hunspell-la
hunspell-lb
hunspell-ln
hunspell-mai
hunspell-mg
hunspell-mi
hunspell-mk
hunspell-ml
hunspell-mn
hunspell-mos
hunspell-mr
hunspell-ms
hunspell-mt
hunspell-nds
hunspell-ne
hunspell-nl
hunspell-no
hunspell-nr
hunspell-nso
hunspell-ny
hunspell-om
hunspell-or
hunspell-pa
hunspell-pl
hunspell-pt
hunspell-quh
hunspell-ro
hunspell-ru
hunspell-rw
hunspell-se
hunspell-shs
hunspell-si
hunspell-sk
hunspell-sl
hunspell-smj
hunspell-so
hunspell-sq
hunspell-sr
hunspell-sv
hunspell-sw
hunspell-ta
hunspell-te
hunspell-tet
hunspell-th
hunspell-tk
hunspell-tl
hunspell-tn
hunspell-tpi
hunspell-ts
hunspell-uk
hunspell-uz
hunspell-ve
hunspell-vi
hunspell-wa
hunspell-xh
hunspell-yi
hwdata
hwloc
hyperscan
hyperv-daemons
hyphen
hyphen-as
hyphen-bg
hyphen-bn
hyphen-ca
hyphen-da
hyphen-de
hyphen-el
hyphen-es
hyphen-fa
hyphen-fo
hyphen-fr
hyphen-ga
hyphen-gl
hyphen-grc
hyphen-gu
hyphen-hi
hyphen-hsb
hyphen-hu
hyphen-ia
hyphen-id
hyphen-is
hyphen-it
hyphen-kn
hyphen-ku
hyphen-lt
hyphen-mi
hyphen-ml
hyphen-mn
hyphen-mr
hyphen-nl
hyphen-or
hyphen-pa
hyphen-pl
hyphen-pt
hyphen-ro
hyphen-ru
hyphen-sa
hyphen-sk
hyphen-sl
hyphen-sv
hyphen-ta
hyphen-te
hyphen-tk
hyphen-uk
ibus
ibus-chewing
ibus-hangul
ibus-kkc
ibus-libzhuyin
ibus-m17n
ibus-rawcode
ibus-sayura
ibus-table
ibus-table-chinese
icc-profiles-openicc
icon-naming-utils
icoutils
iftop
iio-sensor-proxy
ilmbase
im-chooser
imaptest
imsettings
indent
infinipath-psm
inih
iniparser
intel-cmt-cat
intel-ipsec-mb
ioping
IP2Location
ipa-pgothic-fonts
ipcalc
ipmitool
iprutils
iptraf-ng
iptstate
irssi
iscsi-initiator-utils
isns-utils
iso-codes
isomd5sum
iw
iwd
jabberpy
jasper
javapackages-bootstrap
javapackages-tools
jbigkit
jdom2
jemalloc
jfsutils
jimtcl
jose
js-jquery
jsoncpp
Judy
kata-containers
kde-filesystem
kde-settings
kexec-tools
keybinder3
keycloak-httpd-client-install
kf5
kf5-kconfig
kf5-kcoreaddons
kf5-ki18n
kf5-kwidgetsaddons
kpmcore
kronosnet
ksh
kyotocabinet
kyua
ladspa
lame
langtable
lapack
lasso
latencytop
lato-fonts
lcms2
lcov
ldns
leatherman
ledmon
lensfun
leveldb
lftp
libabw
libaec
libao
libappstream-glib
libart_lgpl
libasyncns
libatasmart
libavc1394
libblockdev
libbpf
libbsd
libburn
libbytesize
libcacard
libcanberra
libcdio
libcdio-paranoia
libcdr
libcgroup
libchewing
libcli
libcmis
libcmpiutil
libcomps
libcroco
libdaemon
libdap
libdatrie
libdazzle
libdbi
libdbi-drivers
libdbusmenu
libdc1394
libdeflate
libdmx
libdnf
libdrm
libdvdnav
libdvdread
libdwarf
libeasyfc
libecap
libecb
libell
libEMF
libeot
libepoxy
libepubgen
libesmtp
libetonyek
libev
libevdev
libewf
libexif
libexttextcat
libfabric
libfontenc
libfreehand
libftdi
libgadu
libgdither
libgee
libgee06
libgeotiff
libgexiv2
libgit2
libgit2-glib
libglade2
libglvnd
libgovirt
libgphoto2
libgsf
libgta
libguestfs
libgusb
libgxim
libgxps
libhangul
libhugetlbfs
libibcommon
libical
libICE
libicns
libid3tag
libIDL
libidn2
libiec61883
libieee1284
libimobiledevice
libindicator
libinput
libiodbc
libipt
libiptcdata
libiscsi
libisoburn
libisofs
libjcat
libkcapi
libkeepalive
libkkc
libkkc-data
libkml
liblangtag
libldb
libldm
liblerc
liblockfile
liblognorm
liblouis
liblqr-1
liblzf
libmad
libmediaart
libmicrohttpd
libmikmod
libmodman
libmodplug
libmodulemd1
libmpcdec
libmspub
libmtp
libmusicbrainz5
libmwaw
libnbd
libnet
libnetfilter_log
libnfs
libnotify
libntlm
libnumbertext
liboauth
libodfgen
libofa
libogg
liboggz
liboil
libomxil-bellagio
libopenraw
liboping
libosinfo
libotf
libotr
libpagemaker
libpaper
libpciaccess
libpeas
libpfm
libpinyin
libplist
libpmemobj-cpp
libpng12
libpng15
libproxy
libpsm2
libpwquality
libqb
libqxp
libraqm
LibRaw
libraw1394
libreport
libreswan
librevenge
librsvg2
librx
libsamplerate
libsass
libsecret
libsemanage
libsigc++20
libsigsegv
libslirp
libSM
libsmbios
libsmi
libsndfile
libsodium
libspiro
libsrtp
libssh
libstaroffice
libstemmer
libstoragemgmt
libtdb
libteam
libtevent
libthai
libtnc
libtomcrypt
libtommath
libtraceevent
libtranslit
libucil
libunicap
libuninameslist
liburing
libusbmuxd
libuser
libutempter
libvarlink
libverto
libvirt-dbus
libvirt-glib
libvirt-java
libvirt-python
libvisio
libvisual
libvoikko
libvorbis
libvpx
libwacom
libwnck3
libwpd
libwpe
libwpg
libwps
libwvstreams
libX11
libXau
libXaw
libxcb
libXcomposite
libxcrypt
libXcursor
libXdamage
libXdmcp
libXext
libxfce4util
libXfixes
libXfont2
libXft
libXi
libXinerama
libxkbcommon
libxkbfile
libxklavier
libxmlb
libXmu
libXpm
libXrandr
libXrender
libXres
libXScrnSaver
libxshmfence
libXt
libXtst
libXv
libXxf86vm
libyami
libyang
libyubikey
libzip
libzmf
lilv
linuxconsoletools
linuxptp
lksctp-tools
lldpd
lockdev
logwatch
lpsolve
lrzsz
lua
lua-expat
lua-filesystem
lua-json
lua-lpeg
lua-lunit
lua-rpm-macros
lua-term
luajit
luksmeta
lutok
lv2
lzip
lzop
m17n-db
m17n-lib
mac-robber
mailcap
mailx
malaga
malaga-suomi-voikko
mallard-rng
man-pages-cs
man-pages-es
man-pages-it
man-pages-ja
man-pages-ko
man-pages-pl
man-pages-ru
man-pages-zh-CN
mariadb-connector-c
mariadb-connector-odbc
marisa
maven-compiler-plugin
maven-jar-plugin
maven-resolver
maven-resources-plugin
maven-surefire
maven-wagon
mcelog
mcpp
mcstrans
mdadm
mdds
meanwhile
mecab
mecab-ipadic
media-player-info
memcached
memkind
mesa
mesa-libGLU
metis
microcode_ctl
microdnf
minicom
minizip
mksh
mobile-broadband-provider-info
mock
mock-core-configs
mod_auth_gssapi
mod_auth_mellon
mod_auth_openidc
mod_authnz_pam
mod_fcgid
mod_http2
mod_intercept_form_submit
mod_lookup_identity
mod_md
mod_security
mod_security_crs
mod_wsgi
mokutil
moreutils
mpage
mrtg
mstflint
mt-st
mtdev
mtools
mtr
mtx
multilib-rpm-config
munge
mutt
mythes
mythes-bg
mythes-ca
mythes-cs
mythes-da
mythes-de
mythes-el
mythes-en
mythes-eo
mythes-es
mythes-fr
mythes-ga
mythes-hu
mythes-mi
mythes-ne
mythes-nl
mythes-pl
mythes-pt
mythes-ro
mythes-ru
mythes-sk
mythes-sl
mythes-sv
mythes-uk
nbd
nbdkit
neon
netavark
netcdf
netcf
netlabel_tools
netpbm
netsniff-ng
nfs4-acl-tools
nftables
nilfs-utils
nkf
nload
nlopt
nodejs-packaging
nss-pam-ldapd
nss_nis
nss_wrapper
ntfs-3g
ntfs-3g-system-compression
numad
numatop
numpy
nvmetcli
nvml
oath-toolkit
ocaml
ocaml-alcotest
ocaml-astring
ocaml-base
ocaml-bigarray-compat
ocaml-bisect-ppx
ocaml-calendar
ocaml-camlp5
ocaml-camomile
ocaml-cinaps
ocaml-cmdliner
ocaml-compiler-libs-janestreet
ocaml-cppo
ocaml-csexp
ocaml-csv
ocaml-ctypes
ocaml-curses
ocaml-dune
ocaml-extlib
ocaml-fileutils
ocaml-findlib
ocaml-fmt
ocaml-fpath
ocaml-gettext
ocaml-integers
ocaml-libvirt
ocaml-luv
ocaml-lwt
ocaml-markup
ocaml-migrate-parsetree
ocaml-mmap
ocaml-num
ocaml-ocamlbuild
ocaml-ocplib-endian
ocaml-ounit
ocaml-parsexp
ocaml-ppx-derivers
ocaml-ppxlib
ocaml-re
ocaml-react
ocaml-result
ocaml-seq
ocaml-sexplib
ocaml-sexplib0
ocaml-stdio
ocaml-topkg
ocaml-tyxml
ocaml-uuidm
ocaml-uutf
ocaml-xml-light
ocaml-zarith
ocl-icd
oddjob
ogdi
omping
opa
opal
open-vm-tools
openblas
opencc
opencl-filesystem
opencl-headers
opencryptoki
opencsd
opendnssec
OpenEXR
openjade
openjpeg2
openmpi
openobex
openoffice-lv
openrdate
opensc
openslp
opensm
opensp
openssl
openssl-ibmpkcs11
openssl-pkcs11
openwsman
optipng
opus
opusfile
orangefs
ORBit2
orc
os-prober
osinfo-db
osinfo-db-tools
overpass-fonts
p11-kit
p7zip
pacemaker
pacrunner
pakchois
pam_krb5
pam_wrapper
papi
paps
parallel
patchelf
patchutils
pbzip2
pcp
pcsc-lite
pcsc-lite-ccid
PEGTL
perl
perl-Algorithm-C3
perl-Algorithm-Diff
perl-Alien-Build
perl-Alien-pkgconf
perl-AnyEvent
perl-AnyEvent-AIO
perl-AnyEvent-BDB
perl-App-cpanminus
perl-App-FatPacker
perl-AppConfig
perl-Archive-Extract
perl-Archive-Zip
perl-Authen-SASL
perl-B-Debug
perl-B-Hooks-EndOfScope
perl-B-Hooks-OP-Check
perl-B-Keywords
perl-B-Lint
perl-bareword-filehandles
perl-BDB
perl-Bit-Vector
perl-boolean
perl-Browser-Open
perl-BSD-Resource
perl-Business-ISBN
perl-Business-ISBN-Data
perl-Bytes-Random-Secure
perl-Capture-Tiny
perl-Carp-Clan
perl-CBOR-XS
perl-Class-Accessor
perl-Class-C3
perl-Class-C3-XS
perl-Class-Data-Inheritable
perl-Class-Factory-Util
perl-Class-Inspector
perl-Class-ISA
perl-Class-Load
perl-Class-Load-XS
perl-Class-Method-Modifiers
perl-Class-Singleton
perl-Class-Tiny
perl-Class-XSAccessor
perl-Clone
perl-Color-ANSI-Util
perl-Color-RGB-Util
perl-ColorThemeBase-Static
perl-ColorThemeRole-ANSI
perl-ColorThemes-Standard
perl-ColorThemeUtil-ANSI
perl-Compress-Bzip2
perl-Compress-LZF
perl-Compress-Raw-Lzma
perl-Config-AutoConf
perl-Config-INI
perl-Config-INI-Reader-Multiline
perl-Config-IniFiles
perl-Config-Simple
perl-Config-Tiny
perl-Const-Fast
perl-Convert-ASN1
perl-Convert-Bencode
perl-Coro
perl-Coro-Multicore
perl-CPAN-Changes
perl-CPAN-DistnameInfo
perl-CPAN-Meta-Check
perl-Cpanel-JSON-XS
perl-Crypt-CBC
perl-Crypt-DES
perl-Crypt-IDEA
perl-Crypt-OpenSSL-Bignum
perl-Crypt-OpenSSL-Guess
perl-Crypt-OpenSSL-Random
perl-Crypt-OpenSSL-RSA
perl-Crypt-PasswdMD5
perl-Crypt-Random-Seed
perl-CSS-Tiny
perl-Data-Dump
perl-Data-Munge
perl-Data-OptList
perl-Data-Peek
perl-Data-Section
perl-Data-UUID
perl-Date-Calc
perl-Date-ISO8601
perl-Date-Manip
perl-DateTime
perl-DateTime-Format-Builder
perl-DateTime-Format-DateParse
perl-DateTime-Format-HTTP
perl-DateTime-Format-IBeat
perl-DateTime-Format-ISO8601
perl-DateTime-Format-Mail
perl-DateTime-Format-Strptime
perl-DateTime-Locale
perl-DateTime-TimeZone
perl-DateTime-TimeZone-SystemV
perl-DateTime-TimeZone-Tzfile
perl-DBD-MySQL
perl-Devel-CallChecker
perl-Devel-Caller
perl-Devel-CheckBin
perl-Devel-CheckLib
perl-Devel-Cycle
perl-Devel-EnforceEncapsulation
perl-Devel-GlobalDestruction
perl-Devel-GlobalDestruction-XS
perl-Devel-Hide
perl-Devel-Leak
perl-Devel-LexAlias
perl-Devel-Size
perl-Devel-StackTrace
perl-Devel-Symdump
perl-Digest-BubbleBabble
perl-Digest-CRC
perl-Digest-HMAC
perl-Digest-SHA1
perl-Dist-CheckConflicts
perl-DynaLoader-Functions
perl-Email-Address
perl-Email-Date-Format
perl-Encode-Detect
perl-Encode-EUCJPASCII
perl-Encode-IMAPUTF7
perl-Encode-Locale
perl-Env-ShellWords
perl-Error
perl-EV
perl-Eval-Closure
perl-Event
perl-Exception-Class
perl-Expect
perl-ExtUtils-Config
perl-ExtUtils-Depends
perl-ExtUtils-Helpers
perl-ExtUtils-InstallPaths
perl-ExtUtils-PkgConfig
perl-FCGI
perl-Fedora-VSP
perl-FFI-CheckLib
perl-File-BaseDir
perl-File-BOM
perl-File-chdir
perl-File-CheckTree
perl-File-Copy-Recursive
perl-File-DesktopEntry
perl-File-Find-Object
perl-File-Find-Object-Rule
perl-File-Find-Rule
perl-File-Find-Rule-Perl
perl-File-Inplace
perl-File-Listing
perl-File-MimeInfo
perl-File-pushd
perl-File-ReadBackwards
perl-File-Remove
perl-File-ShareDir
perl-File-ShareDir-Install
perl-File-Slurp
perl-File-Slurp-Tiny
perl-File-Slurper
perl-File-Type
perl-Font-TTF
perl-FreezeThaw
perl-GD
perl-GD-Barcode
perl-generators
perl-Getopt-ArgvFile
perl-gettext
perl-Graphics-ColorNamesLite-WWW
perl-GSSAPI
perl-Guard
perl-Hook-LexWrap
perl-HTML-Parser
perl-HTML-Tagset
perl-HTML-Tree
perl-HTTP-Cookies
perl-HTTP-Daemon
perl-HTTP-Date
perl-HTTP-Message
perl-HTTP-Negotiate
perl-Image-Base
perl-Image-Info
perl-Image-Xbm
perl-Image-Xpm
perl-Import-Into
perl-Importer
perl-inc-latest
perl-indirect
perl-Inline-Files
perl-IO-AIO
perl-IO-All
perl-IO-CaptureOutput
perl-IO-Compress-Lzma
perl-IO-HTML
perl-IO-Multiplex
perl-IO-SessionData
perl-IO-Socket-INET6
perl-IO-String
perl-IO-stringy
perl-IO-Tty
perl-IPC-Run
perl-IPC-Run3
perl-IPC-System-Simple
perl-JSON
perl-JSON-Color
perl-JSON-MaybeXS
perl-LDAP
perl-libnet
perl-libwww-perl
perl-libxml-perl
perl-Lingua-EN-Inflect
perl-List-MoreUtils-XS
perl-local-lib
perl-Locale-Codes
perl-Locale-Maketext-Gettext
perl-Locale-Msgfmt
perl-Locale-PO
perl-Log-Message
perl-Log-Message-Simple
perl-LWP-MediaTypes
perl-LWP-Protocol-https
perl-Mail-AuthenticationResults
perl-Mail-DKIM
perl-Mail-IMAPTalk
perl-Mail-SPF
perl-MailTools
perl-Math-Int64
perl-Math-Random-ISAAC
perl-MIME-Charset
perl-MIME-Lite
perl-MIME-Types
perl-Mixin-Linewise
perl-MLDBM
perl-Mock-Config
perl-Module-Build-Tiny
perl-Module-CPANfile
perl-Module-Implementation
perl-Module-Install-AuthorRequires
perl-Module-Install-AuthorTests
perl-Module-Install-AutoLicense
perl-Module-Install-GithubMeta
perl-Module-Install-ManifestSkip
perl-Module-Install-ReadmeFromPod
perl-Module-Install-ReadmeMarkdownFromPod
perl-Module-Install-Repository
perl-Module-Install-TestBase
perl-Module-Load-Util
perl-Module-Manifest
perl-Module-Manifest-Skip
perl-Module-Package
perl-Module-Package-Au
perl-Module-Pluggable
perl-Module-Runtime
perl-Module-Signature
perl-Mojolicious
perl-Moo
perl-Mozilla-CA
perl-Mozilla-LDAP
perl-MRO-Compat
perl-multidimensional
perl-namespace-autoclean
perl-namespace-clean
perl-Net-CIDR-Lite
perl-Net-Daemon
perl-Net-DNS
perl-Net-DNS-Resolver-Mock
perl-Net-DNS-Resolver-Programmable
perl-Net-HTTP
perl-Net-IMAP-Simple
perl-Net-IMAP-Simple-SSL
perl-Net-IP
perl-Net-LibIDN2
perl-Net-Patricia
perl-Net-SMTP-SSL
perl-Net-SNMP
perl-Net-Telnet
perl-Newt
perl-NNTPClient
perl-NTLM
perl-Number-Compare
perl-Object-Deadly
perl-Object-HashBase
perl-Package-Anon
perl-Package-Constants
perl-Package-DeprecationManager
perl-Package-Generator
perl-Package-Stash
perl-Package-Stash-XS
perl-PadWalker
perl-Paper-Specs
perl-PAR-Dist
perl-Parallel-Iterator
perl-Params-Classify
perl-Params-Util
perl-Params-Validate
perl-Params-ValidationCompiler
perl-Parse-PMFile
perl-Parse-RecDescent
perl-Parse-Yapp
perl-Path-Tiny
perl-Perl-Critic
perl-Perl-Critic-More
perl-Perl-Destruct-Level
perl-Perl-MinimumVersion
perl-Perl4-CoreLibs
perl-PerlIO-gzip
perl-PerlIO-utf8_strict
perl-PkgConfig-LibPkgConf
perl-Pod-Coverage
perl-Pod-Coverage-TrustPod
perl-Pod-Escapes
perl-Pod-Eventual
perl-Pod-LaTeX
perl-Pod-Markdown
perl-Pod-Parser
perl-Pod-Plainer
perl-Pod-POM
perl-Pod-Spell
perl-PPI
perl-PPI-HTML
perl-PPIx-QuoteLike
perl-PPIx-Regexp
perl-PPIx-Utilities
perl-prefork
perl-Probe-Perl
perl-Razor-Agent
perl-Readonly
perl-Readonly-XS
perl-Ref-Util
perl-Ref-Util-XS
perl-Regexp-Pattern-Perl
perl-Return-MultiLevel
perl-Role-Tiny
perl-Scope-Guard
perl-Scope-Upper
perl-SGMLSpm
perl-SNMP_Session
perl-Socket6
perl-Software-License
perl-Sort-Versions
perl-Specio
perl-Spiffy
perl-strictures
perl-String-CRC32
perl-String-Format
perl-String-ShellQuote
perl-String-Similarity
perl-Sub-Exporter
perl-Sub-Exporter-Progressive
perl-Sub-Identify
perl-Sub-Info
perl-Sub-Install
perl-Sub-Name
perl-Sub-Quote
perl-Sub-Uplevel
perl-SUPER
perl-Switch
perl-Syntax-Highlight-Engine-Kate
perl-Sys-CPU
perl-Sys-MemInfo
perl-Sys-Virt
perl-Taint-Runtime
perl-Task-Weaken
perl-Term-Size-Any
perl-Term-Size-Perl
perl-Term-Table
perl-Term-UI
perl-TermReadKey
perl-Test-Base
perl-Test-ClassAPI
perl-Test-CPAN-Meta
perl-Test-CPAN-Meta-JSON
perl-Test-Deep
perl-Test-Differences
perl-Test-DistManifest
perl-Test-Distribution
perl-Test-EOL
perl-Test-Exception
perl-Test-Exit
perl-Test-FailWarnings
perl-Test-Fatal
perl-Test-File
perl-Test-File-ShareDir
perl-Test-Harness
perl-Test-HasVersion
perl-Test-InDistDir
perl-Test-Inter
perl-Test-LeakTrace
perl-Test-LongString
perl-Test-Manifest
perl-Test-Memory-Cycle
perl-Test-MinimumVersion
perl-Test-MockObject
perl-Test-MockRandom
perl-Test-Needs
perl-Test-NoTabs
perl-Test-NoWarnings
perl-Test-Object
perl-Test-Output
perl-Test-Pod
perl-Test-Pod-Coverage
perl-Test-Portability-Files
perl-Test-Requires
perl-Test-RequiresInternet
perl-Test-Script
perl-Test-Simple
perl-Test-SubCalls
perl-Test-Synopsis
perl-Test-Taint
perl-Test-TrailingSpace
perl-Test-utf8
perl-Test-Vars
perl-Test-Warn
perl-Test-Without-Module
perl-Test2-Plugin-NoWarnings
perl-Test2-Suite
perl-Test2-Tools-Explain
perl-Text-CharWidth
perl-Text-CSV_XS
perl-Text-Diff
perl-Text-Glob
perl-Text-Iconv
perl-Text-Soundex
perl-Text-Unidecode
perl-Text-WrapI18N
perl-Tie-IxHash
perl-Time-Duration
perl-TimeDate
perl-Tree-DAG_Node
perl-Unicode-EastAsianWidth
perl-Unicode-LineBreak
perl-Unicode-Map8
perl-Unicode-String
perl-Unicode-UTF8
perl-UNIVERSAL-can
perl-UNIVERSAL-isa
perl-Unix-Syslog
perl-URI
perl-Variable-Magic
perl-Version-Requirements
perl-WWW-RobotRules
perl-XML-Catalog
perl-XML-DOM
perl-XML-Dumper
perl-XML-Filter-BufferText
perl-XML-Generator
perl-XML-Grove
perl-XML-Handler-YAWriter
perl-XML-LibXML
perl-XML-LibXSLT
perl-XML-NamespaceSupport
perl-XML-Parser-Lite
perl-XML-RegExp
perl-XML-SAX
perl-XML-SAX-Base
perl-XML-SAX-Writer
perl-XML-Simple
perl-XML-TokeParser
perl-XML-TreeBuilder
perl-XML-Twig
perl-XML-Writer
perl-XML-XPath
perl-XML-XPathEngine
perl-XString
perl-YAML-LibYAML
perl-YAML-PP
perl-YAML-Syck
perltidy
pesign
phodav
php
php-pear
php-pecl-zip
physfs
picosat
pinfo
pipewire
pixman
pkcs11-helper
pkgconf
plexus-cipher
plexus-containers
plexus-sec-dispatcher
plotutils
pmdk-convert
pmix
pngcrush
pngnq
po4a
podman
poetry
policycoreutils
polkit-pkla-compat
portreserve
postfix
potrace
powertop
ppp
pps-tools
pptp
priv_wrapper
procmail
prometheus
prometheus-node-exporter
ps_mem
psacct
psutils
ptlib
publicsuffix-list
pugixml
pulseaudio
puppet
pwgen
pyatspi
pybind11
pycairo
pyelftools
pyflakes
pygobject3
PyGreSQL
pykickstart
pylint
pyparted
pyproject-rpm-macros
pyserial
python-absl-py
python-aiodns
python-aiohttp
python-alsa
python-argcomplete
python-astroid
python-astunparse
python-async-generator
python-augeas
python-azure-sdk
python-beautifulsoup4
python-betamax
python-blinker
python-blivet
python-cached_property
python-charset-normalizer
python-cheetah
python-click
python-cmd2
python-colorama
python-CommonMark
python-conda-package-handling
python-configshell
python-cpuinfo
python-cups
python-curio
python-cytoolz
python-d2to1
python-dbus-client-gen
python-dbus-python-client-gen
python-dbus-signature-pyparsing
python-dbusmock
python-ddt
python-debtcollector
python-decorator
python-distlib
python-dmidecode
python-dns
python-dtopt
python-dulwich
python-enchant
python-entrypoints
python-ethtool
python-evdev
python-extras
python-faker
python-fasteners
python-fields
python-filelock
python-fixtures
python-flake8
python-flask
python-flit
python-flit-core
python-fluidity-sm
python-frozendict
python-funcsigs
python-gast
python-genshi
python-google-auth
python-google-auth-oauthlib
python-greenlet
python-gssapi
python-h5py
python-hs-dbus-signature
python-html5lib
python-httplib2
python-humanize
python-hwdata
python-importlib-metadata
python-inotify
python-into-dbus-python
python-IPy
python-iso8601
python-isodate
python-isort
python-itsdangerous
python-junit-xml
python-justbases
python-justbytes
python-jwcrypto
python-jwt
python-kdcproxy
python-kerberos
python-kmod
python-kubernetes
python-lazy-object-proxy
python-ldap
python-linux-procfs
python-lit
python-markdown
python-mccabe
python-memcached
python-mimeparse
python-mock
python-monotonic
python-more-itertools
python-mpmath
python-msal
python-msrestazure
python-mutagen
python-networkx
python-nose2
python-ntlm-auth
python-oauth2client
python-openpyxl
python-openstackdocstheme
python-oslo-i18n
python-oslo-sphinx
python-paramiko
python-pefile
python-pexpect
python-pkgconfig
python-platformdirs
python-pluggy
python-podman-api
python-process-tests
python-productmd
python-ptyprocess
python-pycares
python-pycosat
python-pydbus
python-pymongo
python-PyMySQL
python-pyperclip
python-pyroute2
python-pyrsistent
python-pysocks
python-pytest-benchmark
python-pytest-cov
python-pytest-expect
python-pytest-flake8
python-pytest-forked
python-pytest-mock
python-pytest-relaxed
python-pytest-runner
python-pytest-subtests
python-pytest-timeout
python-pytest-xdist
python-pytoml
python-pyudev
python-pywbem
python-qrcode
python-rdflib
python-recommonmark
python-redis
python-requests-file
python-requests-ftp
python-requests-kerberos
python-requests-mock
python-requests-oauthlib
python-requests-toolbelt
python-requests_ntlm
python-responses
python-retrying
python-rfc3986
python-rpm-generators
python-rpmfluff
python-rtslib
python-ruamel-yaml
python-ruamel-yaml-clib
python-s3transfer
python-schedutils
python-semantic_version
python-should_dsl
python-simpleline
python-slip
python-sniffio
python-soupsieve
python-sphinx
python-sphinx-epytext
python-sphinx-theme-py3doc-enhanced
python-sphinx_rtd_theme
python-sphinxcontrib-apidoc
python-sphinxcontrib-applehelp
python-sphinxcontrib-devhelp
python-sphinxcontrib-htmlhelp
python-sphinxcontrib-httpdomain
python-sphinxcontrib-jsmath
python-sphinxcontrib-qthelp
python-sphinxcontrib-serializinghtml
python-sqlalchemy
python-suds
python-systemd
python-tempita
python-templated-dictionary
python-termcolor
python-testpath
python-testresources
python-testscenarios
python-testtools
python-tidy
python-toml
python-tomli
python-toolz
python-tornado
python-tox
python-tox-current-env
python-tqdm
python-trio
python-typing-extensions
python-uamqp
python-unittest2
python-uritemplate
python-urwid
python-varlink
python-virt-firmware
python-voluptuous
python-waitress
python-webencodings
python-webtest
python-wheel
python-whoosh
python-winrm
python-wrapt
python-xmltodict
python-yubico
python-zipp
python-zmq
python3-mallard-ducktype
python3-pytest-asyncio
python3-typed_ast
pyusb
pywbem
pyxattr
qemu
qhull
qpdf
qperf
qr-code-generator
qt5-qtbase
qt5-qtconnectivity
qt5-qtdeclarative
qt5-qtsensors
qt5-qtserialport
qt5-qtsvg
qt5-qttools
qt5-rpm-macros
quagga
quota
quotatool
radvd
ragel
raptor2
rarian
rasdaemon
rasqal
rcs
rdist
rdma-core
re2
re2c
realmd
rear
recode
redland
resource-agents
rest
rhash
rlwrap
rp-pppoe
rpm-mpi-hooks
rpmdevtools
rpmlint
rtkit
rtl-sdr
ruby-augeas
rubygem-bson
rubygem-coderay
rubygem-diff-lcs
rubygem-flexmock
rubygem-hpricot
rubygem-introspection
rubygem-liquid
rubygem-maruku
rubygem-metaclass
rubygem-mongo
rubygem-mustache
rubygem-mysql2
rubygem-pkg-config
rubygem-rake
rubygem-rake-compiler
rubygem-ronn
rubygem-rouge
rubygem-rspec
rubygem-rspec-expectations
rubygem-rspec-mocks
rubygem-rspec-support
rubygem-thread_order
rusers
rust-cbindgen
samba
sanlock
sassist
satyr
sbc
sblim-cim-client2
sblim-cmpi-base
sblim-cmpi-devel
sblim-cmpi-fsvol
sblim-cmpi-network
sblim-cmpi-nfsv3
sblim-cmpi-nfsv4
sblim-cmpi-params
sblim-cmpi-sysfs
sblim-cmpi-syslog
sblim-indication_helper
sblim-sfcb
sblim-sfcc
sblim-sfcCommon
sblim-testsuite
sblim-wbemcli
scl-utils
scotch
screen
scrub
SDL
SDL2
SDL_sound
sdparm
seabios
secilc
selinux-policy
sendmail
serd
setools
setserial
setuptool
sgabios
sgml-common
sgpio
shared-mime-info
sharutils
sip
sisu
skkdic
sleuthkit
slirp4netns
smartmontools
smc-tools
socket_wrapper
softhsm
sombok
sord
sos
sound-theme-freedesktop
soundtouch
sox
soxr
sparsehash
spausedd
speex
speexdsp
spice-protocol
spice-vdagent
spirv-headers
spirv-tools
splix
squashfs-tools
squid
sratom
sscg
star
startup-notification
stunnel
subscription-manager
suitesparse
SuperLU
supermin
switcheroo-control
symlinks
sympy
sysfsutils
systemd-bootchart
t1lib
t1utils
taglib
tang
targetcli
tbb
tcl-pgtcl
tclx
teckit
telnet
tidy
time
tini
tinycdb
tix
tk
tlog
tmpwatch
tn5250
tofrodos
tokyocabinet
tpm-quote-tools
tpm-tools
tss2
ttembed
ttmkfdir
tuna
twolame
uchardet
uclibc-ng
ucpp
ucs-miscfixed-fonts
ucx
udftools
udica
udisks2
uglify-js
uid_wrapper
unicode-emoji
unicode-ucd
unique3
units
upower
uriparser
urlview
usb_modeswitch
usb_modeswitch-data
usbguard
usbip
usbmuxd
usbredir
usermode
ustr
uthash
uuid
uw-imap
v4l-utils
vhostmd
vino
virglrenderer
virt-p2v
virt-top
virt-what
virt-who
virtiofsd
vitess
vmem
volume_key
vorbis-tools
vte291
vulkan-headers
vulkan-loader
watchdog
wavpack
wayland
wayland-protocols
web-assets
webrtc-audio-processing
websocketpp
whois
wireguard-tools
wireless-regdb
wireshark
woff2
wordnet
words
wpebackend-fdo
wsmancli
wvdial
x3270
xapian-core
Xaw3d
xcb-proto
xcb-util
xcb-util-image
xcb-util-keysyms
xcb-util-renderutil
xcb-util-wm
xdelta
xdg-dbus-proxy
xdg-utils
xerces-c
xfconf
xfsdump
xhtml1-dtds
xkeyboard-config
xmlstarlet
xmltoman
xmvn
xorg-x11-apps
xorg-x11-drv-libinput
xorg-x11-font-utils
xorg-x11-fonts
xorg-x11-proto-devel
xorg-x11-server
xorg-x11-server-utils
xorg-x11-util-macros
xorg-x11-utils
xorg-x11-xauth
xorg-x11-xbitmaps
xorg-x11-xinit
xorg-x11-xkb-utils
xorg-x11-xtrans-devel
xrestop
xterm
xxhash
yajl
yaml-cpp
yasm
yelp-tools
yelp-xsl
ykclient
yp-tools
ypbind
ypserv
z3
zenity
zerofree
zfs-fuse
zipper
zopfli
zziplib | | Fedora (Copyright Remi Collet) | [CC-BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode) | libmemcached-awesome
librabbitmq | | Fedora (ISC) | [ISC License](https://github.com/sarugaku/resolvelib/blob/main/LICENSE) | python-resolvelib | | Magnus Edenhill Open Source | [Magnus Edenhill Open Source BSD License](https://github.com/jemalloc/jemalloc/blob/dev/COPYING) | librdkafka | diff --git a/SPECS/LICENSES-AND-NOTICES/data/licenses.json b/SPECS/LICENSES-AND-NOTICES/data/licenses.json index 522e63f3f69..f89e5508bec 100644 --- a/SPECS/LICENSES-AND-NOTICES/data/licenses.json +++ b/SPECS/LICENSES-AND-NOTICES/data/licenses.json @@ -2043,6 +2043,7 @@ "virt-top", "virt-what", "virt-who", + "virtiofsd", "vitess", "vmem", "volume_key", diff --git a/SPECS/application-gateway-kubernetes-ingress/CVE-2022-21698.patch b/SPECS/application-gateway-kubernetes-ingress/CVE-2022-21698.patch new file mode 100644 index 00000000000..d182f16619a --- /dev/null +++ b/SPECS/application-gateway-kubernetes-ingress/CVE-2022-21698.patch @@ -0,0 +1,364 @@ +From 253029f7ffbade99588df59a8b89a35d99197fe0 Mon Sep 17 00:00:00 2001 +From: Tobias Brick +Date: Tue, 18 Jan 2022 10:19:28 +0100 +Subject: [PATCH] Port upstream patch + https://github.com/prometheus/client_golang/commit/9075cdf61646b5adf54d3ba77a0e4f6c65cb4fd7 + +Differences: +- Removed tests +- Removed some comments that don't merge +- Line numbers and such + +Based on: + +From 9075cdf61646b5adf54d3ba77a0e4f6c65cb4fd7 Mon Sep 17 00:00:00 2001 +From: Kemal Akkoyun +Date: Tue, 18 Jan 2022 10:19:28 +0100 +Subject: [PATCH] promhttp: Check validity of method and code label values + (#962) + +* Check validity of method and code label values + +Signed-off-by: Kemal Akkoyun + +* Use more flexibly functional option pattern for configuration + +Signed-off-by: Kemal Akkoyun + +* Update documentation + +Signed-off-by: Kemal Akkoyun + +* Simplify + +Signed-off-by: Kemal Akkoyun + +* Fix inconsistent method naming + +Signed-off-by: Kemal Akkoyun +--- + prometheus/promhttp/instrument_client.go | 28 ++++++-- + prometheus/promhttp/instrument_server.go | 82 ++++++++++++++++++------ + prometheus/promhttp/option.go | 31 +++++++++ + 3 files changed, 116 insertions(+), 25 deletions(-) + create mode 100644 prometheus/promhttp/option.go + +diff --git a/prometheus/promhttp/instrument_client.go b/prometheus/promhttp/instrument_client.go +index 83c49b6..861b4d2 100644 +--- a/prometheus/promhttp/instrument_client.go ++++ b/prometheus/promhttp/instrument_client.go +@@ -49,7 +49,10 @@ func InstrumentRoundTripperInFlight(gauge prometheus.Gauge, next http.RoundTripp + // http.RoundTripper to observe the request result with the provided CounterVec. + // The CounterVec must have zero, one, or two non-const non-curried labels. For + // those, the only allowed label names are "code" and "method". The function +-// panics otherwise. Partitioning of the CounterVec happens by HTTP status code ++// panics otherwise. For the "method" label a predefined default label value set ++// is used to filter given values. Values besides predefined values will count ++// as `unknown` method.`WithExtraMethods` can be used to add more ++// methods to the set. Partitioning of the CounterVec happens by HTTP status code + // and/or HTTP method if the respective instance label names are present in the + // CounterVec. For unpartitioned counting, use a CounterVec with zero labels. + // +@@ -57,13 +60,18 @@ func InstrumentRoundTripperInFlight(gauge prometheus.Gauge, next http.RoundTripp + // is not incremented. + // + // See the example for ExampleInstrumentRoundTripperDuration for example usage. +-func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.RoundTripper) RoundTripperFunc { ++func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.RoundTripper, opts ...Option) RoundTripperFunc { ++ rtOpts := &option{} ++ for _, o := range opts { ++ o(rtOpts) ++ } ++ + code, method := checkLabels(counter) + + return RoundTripperFunc(func(r *http.Request) (*http.Response, error) { + resp, err := next.RoundTrip(r) + if err == nil { +- counter.With(labels(code, method, r.Method, resp.StatusCode)).Inc() ++ counter.With(labels(code, method, r.Method, resp.StatusCode, rtOpts.extraMethods...)).Inc() + } + return resp, err + }) +@@ -73,7 +81,10 @@ func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.Rou + // http.RoundTripper to observe the request duration with the provided + // ObserverVec. The ObserverVec must have zero, one, or two non-const + // non-curried labels. For those, the only allowed label names are "code" and +-// "method". The function panics otherwise. The Observe method of the Observer ++// "method". The function panics otherwise. For the "method" label a predefined ++// default label value set is used to filter given values. Values besides ++// predefined values will count as `unknown` method. `WithExtraMethods` ++// can be used to add more methods to the set. The Observe method of the Observer + // in the ObserverVec is called with the request duration in + // seconds. Partitioning happens by HTTP status code and/or HTTP method if the + // respective instance label names are present in the ObserverVec. For +@@ -85,14 +96,19 @@ func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.Rou + // + // Note that this method is only guaranteed to never observe negative durations + // if used with Go1.9+. +-func InstrumentRoundTripperDuration(obs prometheus.ObserverVec, next http.RoundTripper) RoundTripperFunc { ++func InstrumentRoundTripperDuration(obs prometheus.ObserverVec, next http.RoundTripper, opts ...Option) RoundTripperFunc { ++ rtOpts := &option{} ++ for _, o := range opts { ++ o(rtOpts) ++ } ++ + code, method := checkLabels(obs) + + return RoundTripperFunc(func(r *http.Request) (*http.Response, error) { + start := time.Now() + resp, err := next.RoundTrip(r) + if err == nil { +- obs.With(labels(code, method, r.Method, resp.StatusCode)).Observe(time.Since(start).Seconds()) ++ obs.With(labels(code, method, r.Method, resp.StatusCode, rtOpts.extraMethods...)).Observe(time.Since(start).Seconds()) + } + return resp, err + }) +diff --git a/prometheus/promhttp/instrument_server.go b/prometheus/promhttp/instrument_server.go +index 9db2438..91802f8 100644 +--- a/prometheus/promhttp/instrument_server.go ++++ b/prometheus/promhttp/instrument_server.go +@@ -58,7 +58,12 @@ func InstrumentHandlerInFlight(g prometheus.Gauge, next http.Handler) http.Handl + // + // Note that this method is only guaranteed to never observe negative durations + // if used with Go1.9+. +-func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { ++func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(obs) + + if code { +@@ -67,14 +72,14 @@ func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) ht + d := newDelegator(w, nil) + next.ServeHTTP(d, r) + +- obs.With(labels(code, method, r.Method, d.Status())).Observe(time.Since(now).Seconds()) ++ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) + }) + } + + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + now := time.Now() + next.ServeHTTP(w, r) +- obs.With(labels(code, method, r.Method, 0)).Observe(time.Since(now).Seconds()) ++ obs.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) + }) + } + +@@ -91,20 +96,25 @@ func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) ht + // If the wrapped Handler panics, the Counter is not incremented. + // + // See the example for InstrumentHandlerDuration for example usage. +-func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler) http.HandlerFunc { ++func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler, opts ...Option) http.HandlerFunc { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(counter) + + if code { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + d := newDelegator(w, nil) + next.ServeHTTP(d, r) +- counter.With(labels(code, method, r.Method, d.Status())).Inc() ++ counter.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Inc() + }) + } + + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + next.ServeHTTP(w, r) +- counter.With(labels(code, method, r.Method, 0)).Inc() ++ counter.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Inc() + }) + } + +@@ -126,13 +136,18 @@ func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler) + // if used with Go1.9+. + // + // See the example for InstrumentHandlerDuration for example usage. +-func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { ++func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(obs) + + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + now := time.Now() + d := newDelegator(w, func(status int) { +- obs.With(labels(code, method, r.Method, status)).Observe(time.Since(now).Seconds()) ++ obs.With(labels(code, method, r.Method, status, mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) + }) + next.ServeHTTP(d, r) + }) +@@ -154,7 +169,12 @@ func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Ha + // If the wrapped Handler panics, no values are reported. + // + // See the example for InstrumentHandlerDuration for example usage. +-func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { ++func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(obs) + + if code { +@@ -162,14 +182,14 @@ func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) + d := newDelegator(w, nil) + next.ServeHTTP(d, r) + size := computeApproximateRequestSize(r) +- obs.With(labels(code, method, r.Method, d.Status())).Observe(float64(size)) ++ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(float64(size)) + }) + } + + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + next.ServeHTTP(w, r) + size := computeApproximateRequestSize(r) +- obs.With(labels(code, method, r.Method, 0)).Observe(float64(size)) ++ obs.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Observe(float64(size)) + }) + } + +@@ -189,12 +209,18 @@ func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) + // If the wrapped Handler panics, no values are reported. + // + // See the example for InstrumentHandlerDuration for example usage. +-func InstrumentHandlerResponseSize(obs prometheus.ObserverVec, next http.Handler) http.Handler { ++func InstrumentHandlerResponseSize(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.Handler { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(obs) ++ + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + d := newDelegator(w, nil) + next.ServeHTTP(d, r) +- obs.With(labels(code, method, r.Method, d.Status())).Observe(float64(d.Written())) ++ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(float64(d.Written())) + }) + } + +@@ -279,7 +305,7 @@ func isLabelCurried(c prometheus.Collector, label string) bool { + // unnecessary allocations on each request. + var emptyLabels = prometheus.Labels{} + +-func labels(code, method bool, reqMethod string, status int) prometheus.Labels { ++func labels(code, method bool, reqMethod string, status int, extraMethods ...string) prometheus.Labels { + if !(code || method) { + return emptyLabels + } +@@ -289,7 +315,7 @@ func labels(code, method bool, reqMethod string, status int) prometheus.Labels { + labels["code"] = sanitizeCode(status) + } + if method { +- labels["method"] = sanitizeMethod(reqMethod) ++ labels["method"] = sanitizeMethod(reqMethod, extraMethods...) + } + + return labels +@@ -319,7 +345,12 @@ func computeApproximateRequestSize(r *http.Request) int { + return s + } + +-func sanitizeMethod(m string) string { ++// If the wrapped http.Handler has a known method, it will be sanitized and returned. ++// Otherwise, "unknown" will be returned. The known method list can be extended ++// as needed by using extraMethods parameter. ++func sanitizeMethod(m string, extraMethods ...string) string { ++ // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods for ++ // the methods chosen as default. + switch m { + case "GET", "get": + return "get" +@@ -337,15 +368,25 @@ func sanitizeMethod(m string) string { + return "options" + case "NOTIFY", "notify": + return "notify" ++ case "TRACE", "trace": ++ return "trace" ++ case "PATCH", "patch": ++ return "patch" + default: +- return strings.ToLower(m) ++ for _, method := range extraMethods { ++ if strings.EqualFold(m, method) { ++ return strings.ToLower(m) ++ } ++ } ++ return "unknown" + } + } + + // If the wrapped http.Handler has not set a status code, i.e. the value is +-// currently 0, santizeCode will return 200, for consistency with behavior in ++// currently 0, sanitizeCode will return 200, for consistency with behavior in + // the stdlib. + func sanitizeCode(s int) string { ++ // See for accepted codes https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml + switch s { + case 100: + return "100" +@@ -442,6 +483,9 @@ func sanitizeCode(s int) string { + return "511" + + default: +- return strconv.Itoa(s) ++ if s >= 100 && s <= 599 { ++ return strconv.Itoa(s) ++ } ++ return "unknown" + } + } +diff --git a/prometheus/promhttp/option.go b/prometheus/promhttp/option.go +new file mode 100644 +index 0000000..35e41bd +--- /dev/null ++++ b/prometheus/promhttp/option.go +@@ -0,0 +1,31 @@ ++// Copyright 2022 The Prometheus Authors ++// Licensed under the Apache License, Version 2.0 (the "License"); ++// you may not use this file except in compliance with the License. ++// You may obtain a copy of the License at ++// ++// http://www.apache.org/licenses/LICENSE-2.0 ++// ++// Unless required by applicable law or agreed to in writing, software ++// distributed under the License is distributed on an "AS IS" BASIS, ++// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++// See the License for the specific language governing permissions and ++// limitations under the License. ++ ++package promhttp ++ ++// Option are used to configure a middleware or round tripper.. ++type Option func(*option) ++ ++type option struct { ++ extraMethods []string ++} ++ ++// WithExtraMethods adds additional HTTP methods to the list of allowed methods. ++// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods for the default list. ++// ++// See the example for ExampleInstrumentHandlerWithExtraMethods for example usage. ++func WithExtraMethods(methods ...string) Option { ++ return func(o *option) { ++ o.extraMethods = methods ++ } ++} +-- +2.33.8 + diff --git a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec index 14bfbb8956a..b7af118bd4d 100644 --- a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec +++ b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec @@ -2,7 +2,7 @@ Summary: Application Gateway Ingress Controller Name: application-gateway-kubernetes-ingress Version: 1.4.0 -Release: 16%{?dist} +Release: 17%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -24,7 +24,8 @@ Source0: %{name}-%{version}.tar.gz # -cf %%{name}-%%{version}-vendor.tar.gz vendor # Source1: %{name}-%{version}-vendor.tar.gz - +# If upstream ever upgrades client_goland to 1.11.1, we can get rid of this patch. +Patch0: CVE-2022-21698.patch BuildRequires: golang >= 1.13 %description @@ -32,12 +33,12 @@ This is an ingress controller that can be run on Azure Kubernetes Service (AKS) to act as the ingress for an AKS cluster. %prep -%autosetup - -%build +%autosetup -N rm -rf vendor tar -xf %{SOURCE1} --no-same-owner +%patch 0 -p1 -d vendor/github.com/prometheus/client_golang +%build export VERSION=%{version} export VERSION_PATH=github.com/Azure/application-gateway-kubernetes-ingress/pkg/version @@ -54,6 +55,10 @@ cp appgw-ingress %{buildroot}%{_bindir}/ %{_bindir}/appgw-ingress %changelog +* Mon Jan 01 2024 Tobias Brick - 1.4.0-17 +- Patch for CVE-2022-21698 +- Moved vendored tarball extraction into %prep and changed from %autosetup to %setup + * Mon Oct 16 2023 CBL-Mariner Servicing Account - 1.4.0-16 - Bump release to rebuild with go 1.20.9 diff --git a/SPECS/azure-iot-sdk-c/CVE-2024-21646.patch b/SPECS/azure-iot-sdk-c/CVE-2024-21646.patch new file mode 100644 index 00000000000..7da1bb96837 --- /dev/null +++ b/SPECS/azure-iot-sdk-c/CVE-2024-21646.patch @@ -0,0 +1,22 @@ +diff -ruN a/uamqp/src/amqpvalue.c b/uamqp/src/amqpvalue.c +--- a/uamqp/src/amqpvalue.c 2024-01-16 16:24:25.728073998 -0800 ++++ b/uamqp/src/amqpvalue.c 2024-01-17 04:45:07.632022782 -0800 +@@ -5912,7 +5912,17 @@ + } + else + { +- internal_decoder_data->decode_to_value->value.binary_value.bytes = (unsigned char*)malloc((size_t)internal_decoder_data->decode_to_value->value.binary_value.length + 1); ++ size_t malloc_size = (size_t)internal_decoder_data->decode_to_value->value.binary_value.length + 1; ++ if (malloc_size == 0) ++ { ++ internal_decoder_data->decode_to_value->value.binary_value.bytes = NULL; ++ LogError("Invalid binary_value size exceeded max allocation"); ++ } ++ else ++ { ++ internal_decoder_data->decode_to_value->value.binary_value.bytes = (unsigned char*)malloc(malloc_size); ++ } ++ + if (internal_decoder_data->decode_to_value->value.binary_value.bytes == NULL) + { + /* Codes_SRS_AMQPVALUE_01_326: [If any allocation failure occurs during decoding, amqpvalue_decode_bytes shall fail and return a non-zero value.] */ diff --git a/SPECS/azure-iot-sdk-c/azure-iot-sdk-c.spec b/SPECS/azure-iot-sdk-c/azure-iot-sdk-c.spec index b4dead98c5a..015b86da6d1 100644 --- a/SPECS/azure-iot-sdk-c/azure-iot-sdk-c.spec +++ b/SPECS/azure-iot-sdk-c/azure-iot-sdk-c.spec @@ -7,7 +7,7 @@ Name: azure-iot-sdk-c # Since we want to control the release number as thr distribution, this scheme is not applicable for us. # They also used to use a regular versioning scheme like 1.3.7 but they did not tag their latest LTS with a version like that. Version: 2022.01.21 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Group: Applications/File URL: https://github.com/Azure/azure-iot-sdk-c @@ -20,7 +20,7 @@ Distribution: Mariner # git clone --recursive --single-branch --branch LTS_01_2022_Ref01 --depth 1 https://github.com/Azure/azure-iot-sdk-c.git # tar cjvf azure-iot-sdk-c-2022.01.21.tar.bz2 azure-iot-sdk-c/ Source0: %{name}-%{version}.tar.bz2 - +Patch0: CVE-2024-21646.patch BuildRequires: cmake BuildRequires: build-essential BuildRequires: curl-devel @@ -45,7 +45,7 @@ operating systems, tools sets, protocols and communications patterns widely in u %global debug_package %{nil} %prep -%setup -qn %{name} +%autosetup -p1 -n %{name} %build mkdir cmake @@ -86,6 +86,10 @@ install -p -m 755 provisioning_client/tools/tpm_device_provision/tpm_device_prov /usr/cmake/* %changelog +* Tue Jan 16 2024 Minghe Ren - 2022.01.21-2 +- Add patch for CVE-2024-21646 +- change to use autosetup + * Mon Jan 24 2022 Nicolas Guibourge - 2022.01.21-1 - Upgrade to 2022.01.21. diff --git a/SPECS/binutils/binutils.spec b/SPECS/binutils/binutils.spec index c112f4c0c7c..21baffb21bc 100644 --- a/SPECS/binutils/binutils.spec +++ b/SPECS/binutils/binutils.spec @@ -1,7 +1,27 @@ +# Where the binaries aimed at gcc will live (ie. /usr//bin/). +%global auxbin_prefix %{_exec_prefix} + +%global srcdir %{name}-%{version} + +%ifarch x86_64 + %global build_cross 1 +%else + %global build_cross 0 +%endif + +%global build_aarch64 %{build_cross} + +%global do_files() \ +%if %2 \ +%files -n binutils-%1 \ +%{_prefix}/%1 \ +%{_bindir}/%1-* \ +%endif + Summary: Contains a linker, an assembler, and other tools Name: binutils Version: 2.37 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -16,8 +36,20 @@ Patch2: thin_archive_descriptor.patch Patch3: CVE-2021-45078.patch Patch4: CVE-2022-38533.patch Patch5: CVE-2022-4285.patch +# The gold linker doesn't understand the 'module_info.ld' script passed to all linkers and the tests fail to correctly link. +Patch6: disable_gold_test.patch Provides: bundled(libiberty) +# Moving macro before the "SourceX" tags breaks PR checks parsing the specs. +%global do_package() \ +%if %2 \ +%package -n binutils-%1 \ +Summary: Cross-build binary utilities for %1 \ +Requires: cross-%{name}-common = %{version}-%{release} \ +%description -n binutils-%1 \ +Cross-build binary image generation, manipulation and query tools for the %1 architecture. \ +%endif + %description The Binutils package contains a linker, an assembler, and other tools for handling object files. @@ -30,10 +62,66 @@ Requires: %{name} = %{version} It contains the libraries and header files to create applications for handling compiled objects. +%if %{build_cross} +%package -n cross-%{name}-common +Summary: Cross-compilation binutils documentation +BuildArch: noarch + +%description -n cross-%{name}-common +Documentation for the cross-compilation binutils package. +%endif + +%do_package aarch64-linux-gnu %{build_aarch64} + %prep -%autosetup -p1 +%setup -q -c + +function prep_target () { + local target=$1 + local condition=$2 + + if [ $condition != 0 ] + then + echo $1 >> cross.list + fi +} + +pushd %{srcdir} +%autopatch -p1 +popd + +touch cross.list +prep_target aarch64-linux-gnu %{build_aarch64} %build + +function config_cross_target () { + local target=$1 + + cp -r %{srcdir} $target + pushd $target + + %configure \ + --exec-prefix=%{auxbin_prefix} \ + --program-prefix=$target- \ + --target=$target \ + --disable-multilib \ + --disable-nls \ + --disable-install_libbfd \ + --with-sysroot=%{_prefix}/$target/sys-root + + popd +} + +# Native components build steps. + +# Copying extracted sources for each run of "configure" and "make". +# Building in separate subdirectories but with a single source causes +# other packages to fail with a "configure: error: C compiler cannot create executables" error. +# Proper fix needed and moved to a separate bug at the time of writing this comment. +cp -r %{srcdir} build +pushd build + %configure \ --disable-silent-rules \ --disable-werror \ @@ -43,26 +131,94 @@ for handling compiled objects. --enable-shared \ --with-system-zlib -%make_build tooldir=%{_prefix} +popd +%make_build -C build tooldir=%{_prefix} + + +# Cross-compilation components build steps. + +while read -r target +do + echo "=== BUILD cross-compilation target $target ===" + config_cross_target $target + %make_build -C $target tooldir=%{_prefix} +done < cross.list + +%if %{build_cross} + # For documentation purposes only. + + cp -r %{srcdir} cross-binutils + pushd cross-binutils + + # $PACKAGE is used for the gettext catalog name when building 'cross-binutils-common'. + sed -i -e 's/^ PACKAGE=/ PACKAGE=cross-/' */configure + + %configure \ + --exec-prefix=%{auxbin_prefix} \ + --program-prefix=cross- \ + --disable-dependency-tracking \ + --disable-silent-rules \ + --disable-shared + + popd + %make_build -C cross-binutils tooldir=%{_prefix} +%endif + %install +# Native components installation steps. + +pushd build + %make_install tooldir=%{_prefix} -find %{buildroot} -type f -name "*.la" -delete -print -rm -rf %{buildroot}%{_infodir} %find_lang %{name} --all-name install -m 644 libiberty/pic/libiberty.a %{buildroot}%{_libdir} install -m 644 include/libiberty.h %{buildroot}%{_includedir} +popd + +# Cross-compilation components installation steps. + +while read -r target +do + echo "=== INSTALL cross-compilation target $target ===" + mkdir -p %{buildroot}%{_prefix}/$target/sys-root + %make_install -C $target tooldir=%{auxbin_prefix}/$target + + # Remove cross man files and ldscripts. + rm -rf %{buildroot}%{_mandir}/man1/$target-* + rm -rf %{buildroot}%{auxbin_prefix}/*/lib +done < cross.list + +rm -rf %{buildroot}%{_infodir} +find %{buildroot} -type f -name "*.la" -delete -print + +%if %{build_cross} + echo "=== INSTALL po targets ===" + for binary_name in binutils opcodes bfd gas ld gprof + do + %make_install -C cross-binutils/$binary_name/po + done + + # Find the language files which only exist in the common package. + ( + for binary_name in binutils opcodes bfd gas ld gprof + do + %find_lang cross-$binary_name + cat cross-${binary_name}.lang + done + ) >files.cross +%endif + %check -sed -i 's/testsuite/ /g' gold/Makefile -%make_build check +%make_build -C build tooldir=%{_prefix} check %ldconfig_scriptlets -%files -f %{name}.lang +%files -f build/%{name}.lang %defattr(-,root,root) -%license COPYING +%license %{srcdir}/COPYING %{_bindir}/dwp %{_bindir}/gprof %{_bindir}/ld.bfd @@ -82,6 +238,8 @@ sed -i 's/testsuite/ /g' gold/Makefile %{_bindir}/readelf %{_bindir}/strip %{_libdir}/ldscripts/* +%{_libdir}/libbfd-%{version}.so +%{_libdir}/libopcodes-%{version}.so %{_mandir}/man1/readelf.1.gz %{_mandir}/man1/windmc.1.gz %{_mandir}/man1/ranlib.1.gz @@ -100,8 +258,6 @@ sed -i 's/testsuite/ /g' gold/Makefile %{_mandir}/man1/windres.1.gz %{_mandir}/man1/size.1.gz %{_mandir}/man1/objdump.1.gz -%{_libdir}/libbfd-%{version}.so -%{_libdir}/libopcodes-%{version}.so %files devel %{_includedir}/ansidecl.h @@ -130,7 +286,18 @@ sed -i 's/testsuite/ /g' gold/Makefile %{_libdir}/libopcodes.a %{_libdir}/libopcodes.so +%if %{build_cross} +%files -n cross-%{name}-common -f files.cross +%license %{srcdir}/COPYING +%endif + +%do_files aarch64-linux-gnu %{build_aarch64} + %changelog +* Fri Nov 17 2023 Pawel Winogrodzki - 2.37-8 +- Add the cross-compilation subpackage for aarch64. +- Used Fedora 38 spec (license: MIT) for guidance. + * Wed Sep 20 2023 Jon Slobodzian - 2.37-7 - Recompile with stack-protection fixed gcc version (CVE-2023-4039) diff --git a/SPECS/binutils/disable_gold_test.patch b/SPECS/binutils/disable_gold_test.patch new file mode 100644 index 00000000000..0acc864d6dc --- /dev/null +++ b/SPECS/binutils/disable_gold_test.patch @@ -0,0 +1,34 @@ +diff --git a/Makefile.in b/Makefile.in +index 9b3a5d75..8c955d5a 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -16070,13 +16070,7 @@ maybe-check-gold: + @if gold + maybe-check-gold: check-gold + +-check-gold: +- @: $(MAKE); $(unstage) +- @r=`${PWD_COMMAND}`; export r; \ +- s=`cd $(srcdir); ${PWD_COMMAND}`; export s; \ +- $(HOST_EXPORTS) $(EXTRA_HOST_EXPORTS) \ +- (cd $(HOST_SUBDIR)/gold && \ +- $(MAKE) $(FLAGS_TO_PASS) $(EXTRA_BOOTSTRAP_FLAGS) check) ++check-gold: ; + + @endif gold + +@@ -52322,14 +52316,12 @@ all-stage3-gold: maybe-all-stage3-gas + all-stage4-gold: maybe-all-stage4-gas + all-stageprofile-gold: maybe-all-stageprofile-gas + all-stagefeedback-gold: maybe-all-stagefeedback-gas +-check-gold: maybe-all-binutils + check-stage1-gold: maybe-all-stage1-binutils + check-stage2-gold: maybe-all-stage2-binutils + check-stage3-gold: maybe-all-stage3-binutils + check-stage4-gold: maybe-all-stage4-binutils + check-stageprofile-gold: maybe-all-stageprofile-binutils + check-stagefeedback-gold: maybe-all-stagefeedback-binutils +-check-gold: maybe-all-gas + check-stage1-gold: maybe-all-stage1-gas + check-stage2-gold: maybe-all-stage2-gas + check-stage3-gold: maybe-all-stage3-gas diff --git a/SPECS/ca-certificates/ca-certificates.signatures.json b/SPECS/ca-certificates/ca-certificates.signatures.json index aaa3747c4f1..81328d34c3b 100644 --- a/SPECS/ca-certificates/ca-certificates.signatures.json +++ b/SPECS/ca-certificates/ca-certificates.signatures.json @@ -1,21 +1,21 @@ { - "Signatures": { - "LICENSE": "fab3dd6bdab226f1c08630b1dd917e11fcb4ec5e1e020e2c16f83a0a13863e85", - "README.edk2": "757c28eddb0634b74e6482d16324193be27eee41864c1f96c447020dae14b44f", - "README.etc": "6c7b9287c41c171c64b358fc7331b8a9ae969fc2d00d997d88bcbf4da0de598a", - "README.extr": "146ff96c60a8ee32bbcf2da59d624d6ecfbab7ef7442529d46d8d63064d8ca58", - "README.java": "7bb8781320fb3ff84e76c7e7e4a9c3813879c4f1943710a3b0140b31efacfd32", - "README.openssl": "6c812d1ec8ce5bde2216cc42be33021d6345fbea05c14f50c52191a38c175ea9", - "README.pem": "27362e773c8b6bb065a455a66badb05e2652720bab8ade9ab91f0404cf827dab", - "README.src": "86184318d451bec55d70c84e618cbfe10c8adb7dc893964ce4aaecff99d83433", - "README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8", - "bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a", - "certdata.base.txt": "771a6c9995ea00bb4ce50fd842a252454fe9b26acad8b0568a1055207442db57", - "certdata.microsoft.txt": "dc3a69f59f98b82618490335e303ed960d706910a62f7c116a7e69ce401c6293", - "certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33", - "pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426", - "trust-fixes": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", - "update-ca-trust": "0c0c0600587db7f59ba5e399666152ea6de6059f37408f3946c43438d607efdd", - "update-ca-trust.8.txt": "2470551bd11cc393ddf4cf43cf101c29d9f308c15469ee5e78908cfcf2437579" - } -} + "Signatures": { + "LICENSE": "fab3dd6bdab226f1c08630b1dd917e11fcb4ec5e1e020e2c16f83a0a13863e85", + "README.edk2": "757c28eddb0634b74e6482d16324193be27eee41864c1f96c447020dae14b44f", + "README.etc": "6c7b9287c41c171c64b358fc7331b8a9ae969fc2d00d997d88bcbf4da0de598a", + "README.extr": "146ff96c60a8ee32bbcf2da59d624d6ecfbab7ef7442529d46d8d63064d8ca58", + "README.java": "7bb8781320fb3ff84e76c7e7e4a9c3813879c4f1943710a3b0140b31efacfd32", + "README.openssl": "6c812d1ec8ce5bde2216cc42be33021d6345fbea05c14f50c52191a38c175ea9", + "README.pem": "27362e773c8b6bb065a455a66badb05e2652720bab8ade9ab91f0404cf827dab", + "README.src": "86184318d451bec55d70c84e618cbfe10c8adb7dc893964ce4aaecff99d83433", + "README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8", + "bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a", + "certdata.base.txt": "771a6c9995ea00bb4ce50fd842a252454fe9b26acad8b0568a1055207442db57", + "certdata.microsoft.txt": "8eea04b31e73f9e64040a2d905b02f05dc4c6f2e9964919f5921a31c1ace0d02", + "certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33", + "pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426", + "trust-fixes": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "update-ca-trust": "0c0c0600587db7f59ba5e399666152ea6de6059f37408f3946c43438d607efdd", + "update-ca-trust.8.txt": "2470551bd11cc393ddf4cf43cf101c29d9f308c15469ee5e78908cfcf2437579" + } +} \ No newline at end of file diff --git a/SPECS/ca-certificates/ca-certificates.spec b/SPECS/ca-certificates/ca-certificates.spec index b28194414e4..19776485e92 100644 --- a/SPECS/ca-certificates/ca-certificates.spec +++ b/SPECS/ca-certificates/ca-certificates.spec @@ -45,7 +45,7 @@ Name: ca-certificates # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "prebuilt-ca-certificates*" packages as well. Epoch: 1 Version: 2.0.0 -Release: 14%{?dist} +Release: 15%{?dist} License: MPLv2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -324,6 +324,9 @@ rm -f %{pkidir}/tls/certs/*.{0,pem} %{_bindir}/bundle2pem.sh %changelog +* Fri Jan 26 2024 CBL-Mariner Servicing Account - 2.0.0-15 +- Updating Microsoft trusted root CAs. + * Tue Dec 05 2023 Pawel Winogrodzki - 1:2.0.0-14 - Extending base set of certificates. diff --git a/SPECS/ca-certificates/certdata.microsoft.txt b/SPECS/ca-certificates/certdata.microsoft.txt index 15956c4e598..cb1fd2a3b7f 100644 --- a/SPECS/ca-certificates/certdata.microsoft.txt +++ b/SPECS/ca-certificates/certdata.microsoft.txt @@ -1,4 +1,4 @@ -# Release: April 2023 +# Release: November 2023 # # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this @@ -36605,3 +36605,2280 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "Entrust P384 TLS Root CA - 2022" +# +# Issuer: CN=Entrust P384 TLS Root CA - 2022,O="Entrust, Inc.",C=US +# Serial Number:45:3e:ef:32:da:ed:90:68:21:8d:5b:ea:0e:83:d1:65:04:2e:0f:31 +# Subject: CN=Entrust P384 TLS Root CA - 2022,O="Entrust, Inc.",C=US +# Not Valid Before: Tue Dec 13 16:41:45 2022 +# Not Valid After : Sat Dec 07 16:41:45 2047 +# Fingerprint (SHA-256): 42:03:32:EF:87:6E:BE:78:F2:AF:5D:28:AA:AC:DE:24:AA:D0:C1:0F:8F:FA:AC:46:9E:FD:7B:D9:41:92:95:68 +# Fingerprint (SHA1): 42:4A:AE:6D:0C:8C:76:24:81:7C:DB:9C:CB:51:0D:ED:62:32:19:1D +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Entrust P384 TLS Root CA - 2022" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\117\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165\163 +\164\054\040\111\156\143\056\061\050\060\046\006\003\125\004\003 +\023\037\105\156\164\162\165\163\164\040\120\063\070\064\040\124 +\114\123\040\122\157\157\164\040\103\101\040\055\040\062\060\062 +\062 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\117\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165\163 +\164\054\040\111\156\143\056\061\050\060\046\006\003\125\004\003 +\023\037\105\156\164\162\165\163\164\040\120\063\070\064\040\124 +\114\123\040\122\157\157\164\040\103\101\040\055\040\062\060\062 +\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\105\076\357\062\332\355\220\150\041\215\133\352\016\203 +\321\145\004\056\017\061 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\101\060\202\001\306\240\003\002\001\002\002\024\105 +\076\357\062\332\355\220\150\041\215\133\352\016\203\321\145\004 +\056\017\061\060\012\006\010\052\206\110\316\075\004\003\003\060 +\117\061\013\060\011\006\003\125\004\006\023\002\125\123\061\026 +\060\024\006\003\125\004\012\023\015\105\156\164\162\165\163\164 +\054\040\111\156\143\056\061\050\060\046\006\003\125\004\003\023 +\037\105\156\164\162\165\163\164\040\120\063\070\064\040\124\114 +\123\040\122\157\157\164\040\103\101\040\055\040\062\060\062\062 +\060\036\027\015\062\062\061\062\061\063\061\066\064\061\064\065 +\132\027\015\064\067\061\062\060\067\061\066\064\061\064\065\132 +\060\117\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165\163 +\164\054\040\111\156\143\056\061\050\060\046\006\003\125\004\003 +\023\037\105\156\164\162\165\163\164\040\120\063\070\064\040\124 +\114\123\040\122\157\157\164\040\103\101\040\055\040\062\060\062 +\062\060\166\060\020\006\007\052\206\110\316\075\002\001\006\005 +\053\201\004\000\042\003\142\000\004\071\053\213\326\167\162\125 +\076\267\246\361\153\352\066\056\172\151\052\313\076\225\144\073 +\301\253\243\011\014\207\255\302\055\030\103\276\217\166\035\120 +\323\000\337\071\133\042\151\076\304\313\331\237\034\055\205\152 +\327\157\174\173\175\161\104\061\072\371\314\200\037\247\361\141 +\337\014\333\106\135\033\306\200\113\365\155\037\234\333\321\022 +\264\034\002\031\343\103\147\114\325\243\143\060\141\060\035\006 +\003\125\035\016\004\026\004\024\304\056\200\174\137\160\222\004 +\206\114\236\122\313\053\147\305\007\152\202\223\060\037\006\003 +\125\035\043\004\030\060\026\200\024\304\056\200\174\137\160\222 +\004\206\114\236\122\313\053\147\305\007\152\202\223\060\017\006 +\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\016 +\006\003\125\035\017\001\001\377\004\004\003\002\001\206\060\012 +\006\010\052\206\110\316\075\004\003\003\003\151\000\060\146\002 +\061\000\242\366\152\031\227\132\135\031\176\124\114\313\046\043 +\113\352\373\373\332\100\162\225\152\236\301\123\145\072\242\304 +\024\306\362\020\021\063\232\007\123\143\063\225\041\152\046\263 +\324\343\002\061\000\236\250\201\255\331\330\122\127\040\240\263 +\360\172\273\115\235\340\112\005\065\045\114\165\115\122\266\353 +\226\352\042\240\131\066\274\020\047\170\375\003\373\331\025\271 +\210\132\256\377\065 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "Entrust P384 TLS Root CA - 2022" +# Issuer: CN=Entrust P384 TLS Root CA - 2022,O="Entrust, Inc.",C=US +# Serial Number:45:3e:ef:32:da:ed:90:68:21:8d:5b:ea:0e:83:d1:65:04:2e:0f:31 +# Subject: CN=Entrust P384 TLS Root CA - 2022,O="Entrust, Inc.",C=US +# Not Valid Before: Tue Dec 13 16:41:45 2022 +# Not Valid After : Sat Dec 07 16:41:45 2047 +# Fingerprint (SHA-256): 42:03:32:EF:87:6E:BE:78:F2:AF:5D:28:AA:AC:DE:24:AA:D0:C1:0F:8F:FA:AC:46:9E:FD:7B:D9:41:92:95:68 +# Fingerprint (SHA1): 42:4A:AE:6D:0C:8C:76:24:81:7C:DB:9C:CB:51:0D:ED:62:32:19:1D +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Entrust P384 TLS Root CA - 2022" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\102\112\256\155\014\214\166\044\201\174\333\234\313\121\015\355 +\142\062\031\035 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\245\045\242\110\115\070\332\302\173\001\004\332\261\113\045\254 +END +CKA_ISSUER MULTILINE_OCTAL +\060\117\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165\163 +\164\054\040\111\156\143\056\061\050\060\046\006\003\125\004\003 +\023\037\105\156\164\162\165\163\164\040\120\063\070\064\040\124 +\114\123\040\122\157\157\164\040\103\101\040\055\040\062\060\062 +\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\105\076\357\062\332\355\220\150\041\215\133\352\016\203 +\321\145\004\056\017\061 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "Entrust P384 EV TLS Root CA - 2022" +# +# Issuer: CN=Entrust P384 EV TLS Root CA - 2022,O="Entrust, Inc.",C=US +# Serial Number:09:75:58:f5:a1:6c:16:87:7b:bd:06:4f:fd:9c:e4:83:ba:4b:04:0b +# Subject: CN=Entrust P384 EV TLS Root CA - 2022,O="Entrust, Inc.",C=US +# Not Valid Before: Tue Dec 13 16:46:44 2022 +# Not Valid After : Sat Dec 07 16:46:44 2047 +# Fingerprint (SHA-256): 93:7E:F8:F1:22:76:B3:C7:A3:F5:8E:34:5D:09:A6:EF:F0:1F:86:2F:8D:27:94:44:1C:D8:4D:51:18:25:FA:0C +# Fingerprint (SHA1): 1E:6C:44:DC:64:73:D4:81:9B:E8:9F:B2:37:AF:48:83:FC:37:69:87 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Entrust P384 EV TLS Root CA - 2022" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\122\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165\163 +\164\054\040\111\156\143\056\061\053\060\051\006\003\125\004\003 +\023\042\105\156\164\162\165\163\164\040\120\063\070\064\040\105 +\126\040\124\114\123\040\122\157\157\164\040\103\101\040\055\040 +\062\060\062\062 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\122\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165\163 +\164\054\040\111\156\143\056\061\053\060\051\006\003\125\004\003 +\023\042\105\156\164\162\165\163\164\040\120\063\070\064\040\105 +\126\040\124\114\123\040\122\157\157\164\040\103\101\040\055\040 +\062\060\062\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\011\165\130\365\241\154\026\207\173\275\006\117\375\234 +\344\203\272\113\004\013 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\106\060\202\001\314\240\003\002\001\002\002\024\011 +\165\130\365\241\154\026\207\173\275\006\117\375\234\344\203\272 +\113\004\013\060\012\006\010\052\206\110\316\075\004\003\003\060 +\122\061\013\060\011\006\003\125\004\006\023\002\125\123\061\026 +\060\024\006\003\125\004\012\023\015\105\156\164\162\165\163\164 +\054\040\111\156\143\056\061\053\060\051\006\003\125\004\003\023 +\042\105\156\164\162\165\163\164\040\120\063\070\064\040\105\126 +\040\124\114\123\040\122\157\157\164\040\103\101\040\055\040\062 +\060\062\062\060\036\027\015\062\062\061\062\061\063\061\066\064 +\066\064\064\132\027\015\064\067\061\062\060\067\061\066\064\066 +\064\064\132\060\122\061\013\060\011\006\003\125\004\006\023\002 +\125\123\061\026\060\024\006\003\125\004\012\023\015\105\156\164 +\162\165\163\164\054\040\111\156\143\056\061\053\060\051\006\003 +\125\004\003\023\042\105\156\164\162\165\163\164\040\120\063\070 +\064\040\105\126\040\124\114\123\040\122\157\157\164\040\103\101 +\040\055\040\062\060\062\062\060\166\060\020\006\007\052\206\110 +\316\075\002\001\006\005\053\201\004\000\042\003\142\000\004\060 +\075\055\252\171\046\126\151\354\170\326\255\203\303\275\032\343 +\356\121\273\040\064\142\377\260\346\375\250\375\267\035\255\076 +\344\054\202\301\016\177\165\013\205\376\235\002\102\303\207\310 +\006\106\221\300\300\115\274\210\150\372\143\352\015\352\166\373 +\360\233\346\235\337\106\307\016\351\067\220\200\151\372\337\122 +\366\032\074\032\220\215\377\041\077\057\004\212\252\306\125\243 +\143\060\141\060\035\006\003\125\035\016\004\026\004\024\023\162 +\020\256\202\130\017\301\070\233\274\266\246\114\005\312\216\204 +\150\277\060\037\006\003\125\035\043\004\030\060\026\200\024\023 +\162\020\256\202\130\017\301\070\233\274\266\246\114\005\312\216 +\204\150\277\060\017\006\003\125\035\023\001\001\377\004\005\060 +\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004 +\003\002\001\206\060\012\006\010\052\206\110\316\075\004\003\003 +\003\150\000\060\145\002\060\120\133\151\126\145\067\344\075\364 +\175\331\263\211\045\141\120\035\374\307\164\020\216\237\140\327 +\214\303\122\252\113\301\375\363\134\270\103\074\321\370\004\256 +\047\374\004\202\165\376\316\002\061\000\256\317\144\143\255\317 +\366\255\010\020\036\216\340\031\004\317\134\252\010\010\141\020 +\271\347\316\234\314\253\265\074\321\364\302\275\127\101\244\122 +\316\101\026\340\100\211\204\154\141\352 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "Entrust P384 EV TLS Root CA - 2022" +# Issuer: CN=Entrust P384 EV TLS Root CA - 2022,O="Entrust, Inc.",C=US +# Serial Number:09:75:58:f5:a1:6c:16:87:7b:bd:06:4f:fd:9c:e4:83:ba:4b:04:0b +# Subject: CN=Entrust P384 EV TLS Root CA - 2022,O="Entrust, Inc.",C=US +# Not Valid Before: Tue Dec 13 16:46:44 2022 +# Not Valid After : Sat Dec 07 16:46:44 2047 +# Fingerprint (SHA-256): 93:7E:F8:F1:22:76:B3:C7:A3:F5:8E:34:5D:09:A6:EF:F0:1F:86:2F:8D:27:94:44:1C:D8:4D:51:18:25:FA:0C +# Fingerprint (SHA1): 1E:6C:44:DC:64:73:D4:81:9B:E8:9F:B2:37:AF:48:83:FC:37:69:87 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Entrust P384 EV TLS Root CA - 2022" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\036\154\104\334\144\163\324\201\233\350\237\262\067\257\110\203 +\374\067\151\207 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\305\267\075\245\344\327\213\327\040\251\320\316\365\036\337\076 +END +CKA_ISSUER MULTILINE_OCTAL +\060\122\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165\163 +\164\054\040\111\156\143\056\061\053\060\051\006\003\125\004\003 +\023\042\105\156\164\162\165\163\164\040\120\063\070\064\040\105 +\126\040\124\114\123\040\122\157\157\164\040\103\101\040\055\040 +\062\060\062\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\011\165\130\365\241\154\026\207\173\275\006\117\375\234 +\344\203\272\113\004\013 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "Telekom Security TLS ECC Root 2020" +# +# Issuer: CN=Telekom Security TLS ECC Root 2020,O=Deutsche Telekom Security GmbH,C=DE +# Serial Number:36:3a:96:8c:c9:5c:b2:58:cd:d0:01:5d:c5:e5:57:00 +# Subject: CN=Telekom Security TLS ECC Root 2020,O=Deutsche Telekom Security GmbH,C=DE +# Not Valid Before: Tue Aug 25 07:48:20 2020 +# Not Valid After : Fri Aug 25 23:59:59 2045 +# Fingerprint (SHA-256): 57:8A:F4:DE:D0:85:3F:4E:59:98:DB:4A:EA:F9:CB:EA:8D:94:5F:60:B6:20:A3:8D:1A:3C:13:B2:BC:7B:A8:E1 +# Fingerprint (SHA1): C0:F8:96:C5:A9:3B:01:06:21:07:DA:18:42:48:BC:E9:9D:88:D5:EC +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Telekom Security TLS ECC Root 2020" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\143\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\047\060\045\006\003\125\004\012\014\036\104\145\165\164\163\143 +\150\145\040\124\145\154\145\153\157\155\040\123\145\143\165\162 +\151\164\171\040\107\155\142\110\061\053\060\051\006\003\125\004 +\003\014\042\124\145\154\145\153\157\155\040\123\145\143\165\162 +\151\164\171\040\124\114\123\040\105\103\103\040\122\157\157\164 +\040\062\060\062\060 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\143\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\047\060\045\006\003\125\004\012\014\036\104\145\165\164\163\143 +\150\145\040\124\145\154\145\153\157\155\040\123\145\143\165\162 +\151\164\171\040\107\155\142\110\061\053\060\051\006\003\125\004 +\003\014\042\124\145\154\145\153\157\155\040\123\145\143\165\162 +\151\164\171\040\124\114\123\040\105\103\103\040\122\157\157\164 +\040\062\060\062\060 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\066\072\226\214\311\134\262\130\315\320\001\135\305\345 +\127\000 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\102\060\202\001\311\240\003\002\001\002\002\020\066 +\072\226\214\311\134\262\130\315\320\001\135\305\345\127\000\060 +\012\006\010\052\206\110\316\075\004\003\003\060\143\061\013\060 +\011\006\003\125\004\006\023\002\104\105\061\047\060\045\006\003 +\125\004\012\014\036\104\145\165\164\163\143\150\145\040\124\145 +\154\145\153\157\155\040\123\145\143\165\162\151\164\171\040\107 +\155\142\110\061\053\060\051\006\003\125\004\003\014\042\124\145 +\154\145\153\157\155\040\123\145\143\165\162\151\164\171\040\124 +\114\123\040\105\103\103\040\122\157\157\164\040\062\060\062\060 +\060\036\027\015\062\060\060\070\062\065\060\067\064\070\062\060 +\132\027\015\064\065\060\070\062\065\062\063\065\071\065\071\132 +\060\143\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\047\060\045\006\003\125\004\012\014\036\104\145\165\164\163\143 +\150\145\040\124\145\154\145\153\157\155\040\123\145\143\165\162 +\151\164\171\040\107\155\142\110\061\053\060\051\006\003\125\004 +\003\014\042\124\145\154\145\153\157\155\040\123\145\143\165\162 +\151\164\171\040\124\114\123\040\105\103\103\040\122\157\157\164 +\040\062\060\062\060\060\166\060\020\006\007\052\206\110\316\075 +\002\001\006\005\053\201\004\000\042\003\142\000\004\316\277\376 +\127\250\277\325\252\367\020\232\315\274\321\021\242\275\147\102 +\314\220\353\025\030\220\331\242\315\014\052\045\353\076\117\316 +\265\322\217\017\363\065\332\103\213\002\200\276\157\121\044\035 +\017\153\053\312\237\302\157\120\062\345\067\040\266\040\377\210 +\015\017\155\111\273\333\006\244\207\220\222\224\364\011\320\317 +\177\310\200\013\301\227\263\273\065\047\311\302\033\243\102\060 +\100\060\035\006\003\125\035\016\004\026\004\024\343\162\314\156 +\225\231\107\261\346\263\141\114\321\313\253\343\272\315\336\237 +\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001 +\377\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001 +\006\060\012\006\010\052\206\110\316\075\004\003\003\003\147\000 +\060\144\002\060\165\122\213\267\244\020\117\256\112\020\213\262 +\204\133\102\341\346\052\066\002\332\240\156\031\077\045\277\332 +\131\062\216\344\373\220\334\223\144\316\255\264\101\107\140\342 +\317\247\313\036\002\060\067\101\214\146\337\101\153\326\203\000 +\101\375\057\132\367\120\264\147\321\054\250\161\327\103\312\234 +\047\044\221\203\110\015\317\315\367\124\201\257\354\177\344\147 +\333\270\220\356\335\045 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "Telekom Security TLS ECC Root 2020" +# Issuer: CN=Telekom Security TLS ECC Root 2020,O=Deutsche Telekom Security GmbH,C=DE +# Serial Number:36:3a:96:8c:c9:5c:b2:58:cd:d0:01:5d:c5:e5:57:00 +# Subject: CN=Telekom Security TLS ECC Root 2020,O=Deutsche Telekom Security GmbH,C=DE +# Not Valid Before: Tue Aug 25 07:48:20 2020 +# Not Valid After : Fri Aug 25 23:59:59 2045 +# Fingerprint (SHA-256): 57:8A:F4:DE:D0:85:3F:4E:59:98:DB:4A:EA:F9:CB:EA:8D:94:5F:60:B6:20:A3:8D:1A:3C:13:B2:BC:7B:A8:E1 +# Fingerprint (SHA1): C0:F8:96:C5:A9:3B:01:06:21:07:DA:18:42:48:BC:E9:9D:88:D5:EC +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Telekom Security TLS ECC Root 2020" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\300\370\226\305\251\073\001\006\041\007\332\030\102\110\274\351 +\235\210\325\354 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\301\253\376\152\020\054\003\215\274\034\042\062\300\205\247\375 +END +CKA_ISSUER MULTILINE_OCTAL +\060\143\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\047\060\045\006\003\125\004\012\014\036\104\145\165\164\163\143 +\150\145\040\124\145\154\145\153\157\155\040\123\145\143\165\162 +\151\164\171\040\107\155\142\110\061\053\060\051\006\003\125\004 +\003\014\042\124\145\154\145\153\157\155\040\123\145\143\165\162 +\151\164\171\040\124\114\123\040\105\103\103\040\122\157\157\164 +\040\062\060\062\060 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\066\072\226\214\311\134\262\130\315\320\001\135\305\345 +\127\000 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "Telekom Security TLS RSA Root 2023" +# +# Issuer: CN=Telekom Security TLS RSA Root 2023,O=Deutsche Telekom Security GmbH,C=DE +# Serial Number:21:9c:54:2d:e8:f6:ec:71:77:fa:4e:e8:c3:70:57:97 +# Subject: CN=Telekom Security TLS RSA Root 2023,O=Deutsche Telekom Security GmbH,C=DE +# Not Valid Before: Tue Mar 28 12:16:45 2023 +# Not Valid After : Fri Mar 27 23:59:59 2048 +# Fingerprint (SHA-256): EF:C6:5C:AD:BB:59:AD:B6:EF:E8:4D:A2:23:11:B3:56:24:B7:1B:3B:1E:A0:DA:8B:66:55:17:4E:C8:97:86:46 +# Fingerprint (SHA1): 54:D3:AC:B3:BD:57:56:F6:85:9D:CE:E5:C3:21:E2:D4:AD:83:D0:93 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Telekom Security TLS RSA Root 2023" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\143\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\047\060\045\006\003\125\004\012\014\036\104\145\165\164\163\143 +\150\145\040\124\145\154\145\153\157\155\040\123\145\143\165\162 +\151\164\171\040\107\155\142\110\061\053\060\051\006\003\125\004 +\003\014\042\124\145\154\145\153\157\155\040\123\145\143\165\162 +\151\164\171\040\124\114\123\040\122\123\101\040\122\157\157\164 +\040\062\060\062\063 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\143\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\047\060\045\006\003\125\004\012\014\036\104\145\165\164\163\143 +\150\145\040\124\145\154\145\153\157\155\040\123\145\143\165\162 +\151\164\171\040\107\155\142\110\061\053\060\051\006\003\125\004 +\003\014\042\124\145\154\145\153\157\155\040\123\145\143\165\162 +\151\164\171\040\124\114\123\040\122\123\101\040\122\157\157\164 +\040\062\060\062\063 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\041\234\124\055\350\366\354\161\167\372\116\350\303\160 +\127\227 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\263\060\202\003\233\240\003\002\001\002\002\020\041 +\234\124\055\350\366\354\161\167\372\116\350\303\160\127\227\060 +\015\006\011\052\206\110\206\367\015\001\001\014\005\000\060\143 +\061\013\060\011\006\003\125\004\006\023\002\104\105\061\047\060 +\045\006\003\125\004\012\014\036\104\145\165\164\163\143\150\145 +\040\124\145\154\145\153\157\155\040\123\145\143\165\162\151\164 +\171\040\107\155\142\110\061\053\060\051\006\003\125\004\003\014 +\042\124\145\154\145\153\157\155\040\123\145\143\165\162\151\164 +\171\040\124\114\123\040\122\123\101\040\122\157\157\164\040\062 +\060\062\063\060\036\027\015\062\063\060\063\062\070\061\062\061 +\066\064\065\132\027\015\064\070\060\063\062\067\062\063\065\071 +\065\071\132\060\143\061\013\060\011\006\003\125\004\006\023\002 +\104\105\061\047\060\045\006\003\125\004\012\014\036\104\145\165 +\164\163\143\150\145\040\124\145\154\145\153\157\155\040\123\145 +\143\165\162\151\164\171\040\107\155\142\110\061\053\060\051\006 +\003\125\004\003\014\042\124\145\154\145\153\157\155\040\123\145 +\143\165\162\151\164\171\040\124\114\123\040\122\123\101\040\122 +\157\157\164\040\062\060\062\063\060\202\002\042\060\015\006\011 +\052\206\110\206\367\015\001\001\001\005\000\003\202\002\017\000 +\060\202\002\012\002\202\002\001\000\355\065\241\201\200\363\313 +\112\151\133\302\373\121\203\256\046\375\341\156\363\201\022\175 +\161\100\377\207\165\102\051\041\355\201\122\054\337\022\301\031 +\204\211\301\275\305\050\325\325\113\154\104\326\114\333\007\226 +\112\125\172\312\066\202\004\066\250\245\374\047\366\111\361\325 +\162\236\221\371\043\326\160\173\273\365\233\301\354\223\317\031 +\352\145\176\210\160\240\163\374\366\377\265\126\142\341\163\152 +\064\230\076\202\270\254\225\123\364\001\240\047\007\162\243\000 +\123\240\344\262\253\203\070\127\063\045\224\237\276\110\035\230 +\341\243\272\236\134\315\004\161\121\175\165\170\253\363\131\252 +\304\340\140\276\217\203\122\270\165\032\101\065\355\274\363\072 +\143\351\251\024\105\327\346\122\321\156\322\336\274\343\365\013 +\073\346\340\304\275\103\144\023\246\316\364\230\067\154\212\225 +\250\227\310\107\017\360\136\020\213\347\035\034\376\261\073\240 +\005\063\150\005\101\202\301\003\053\001\310\347\217\115\253\350 +\265\366\315\153\104\265\347\335\213\354\352\045\264\000\042\127 +\115\260\261\262\061\301\026\316\377\375\024\204\267\107\372\262 +\361\160\336\333\213\154\066\130\244\174\263\021\321\303\167\177 +\137\266\045\340\015\305\322\263\371\270\270\167\333\067\161\161 +\107\343\140\030\117\044\266\165\067\170\271\243\142\257\275\311 +\162\216\057\314\273\256\333\344\025\122\031\007\063\373\152\267 +\055\113\220\050\202\163\376\030\213\065\215\333\247\004\152\276 +\352\301\115\066\073\026\066\221\062\357\266\100\211\221\103\340 +\362\242\253\004\056\346\362\114\016\026\064\040\254\207\301\055 +\176\311\146\107\027\024\021\244\363\367\241\044\211\253\330\032 +\310\241\134\261\243\367\214\155\310\001\311\117\311\354\304\374 +\254\121\063\321\310\203\321\311\237\035\324\107\064\051\076\313 +\260\016\372\203\013\050\130\345\051\334\077\174\250\237\311\266 +\012\273\246\350\106\026\017\226\345\173\344\152\172\110\155\166 +\230\005\245\334\155\036\102\036\102\332\032\340\122\367\265\203 +\300\032\173\170\065\054\070\365\037\375\111\243\056\322\131\143 +\277\200\260\214\223\163\313\065\246\231\225\042\141\145\003\140 +\373\057\223\113\372\232\234\200\073\002\003\001\000\001\243\143 +\060\141\060\016\006\003\125\035\017\001\001\377\004\004\003\002 +\001\006\060\035\006\003\125\035\016\004\026\004\024\266\247\227 +\202\075\164\205\233\367\074\237\223\232\225\171\165\122\214\155 +\107\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001 +\001\377\060\037\006\003\125\035\043\004\030\060\026\200\024\266 +\247\227\202\075\164\205\233\367\074\237\223\232\225\171\165\122 +\214\155\107\060\015\006\011\052\206\110\206\367\015\001\001\014 +\005\000\003\202\002\001\000\250\314\141\246\276\165\236\025\120 +\244\153\373\250\160\105\174\272\176\261\132\374\133\043\372\012 +\167\370\230\161\202\014\155\340\136\106\252\223\364\036\240\303 +\341\223\333\113\255\262\246\135\253\260\324\142\313\136\273\146 +\365\055\356\227\100\074\142\353\136\326\024\326\214\342\226\213 +\101\151\223\065\346\271\231\153\142\264\241\027\146\064\246\153 +\143\306\271\116\362\042\351\130\015\126\101\321\372\014\112\360 +\063\315\073\273\155\041\072\256\216\162\265\303\112\373\351\175 +\345\261\233\206\356\342\340\175\264\367\062\375\042\204\361\205 +\311\067\171\351\265\077\277\134\344\164\262\217\021\142\000\335 +\030\146\241\331\173\043\137\361\216\325\147\350\124\332\133\072 +\153\066\157\371\201\261\063\107\063\167\100\371\122\252\335\324 +\203\317\205\170\231\232\223\271\163\147\102\106\021\041\352\376 +\012\251\033\032\145\151\263\217\256\026\266\366\113\126\262\055 +\371\245\310\354\073\142\243\355\153\320\116\325\100\011\244\037 +\230\327\072\245\222\131\040\344\260\175\315\133\163\150\275\155 +\304\242\023\016\147\031\270\215\102\176\154\014\232\156\240\044 +\055\325\105\033\334\304\002\024\376\205\133\145\227\312\116\220 +\120\010\172\102\065\371\352\302\146\324\370\001\256\036\264\276 +\303\250\357\376\166\232\242\246\037\106\366\204\355\374\333\316 +\304\002\316\167\110\054\214\262\354\303\000\243\354\054\125\030 +\301\176\031\356\341\057\362\255\203\233\236\253\031\337\306\212 +\057\214\167\345\267\005\354\073\301\354\276\206\263\206\274\300 +\367\334\347\352\133\256\262\314\265\065\206\113\320\342\077\266 +\330\370\016\000\356\135\343\367\215\130\377\317\213\067\351\143 +\137\156\367\011\161\066\302\022\135\127\362\310\264\315\363\356 +\002\337\021\334\152\271\127\204\035\131\115\214\316\310\016\043 +\302\267\046\232\020\024\161\376\223\262\212\270\200\360\016\020 +\236\323\250\120\014\067\202\057\352\340\212\235\341\054\071\377 +\265\264\163\000\344\367\110\246\163\254\277\262\336\167\004\207 +\264\243\315\233\065\044\067\372\220\223\023\201\102\306\230\046 +\165\067\146\101\020\254\273\365\224\343\302\061\053\255\347\043 +\126\314\065\045\222\263\120 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "Telekom Security TLS RSA Root 2023" +# Issuer: CN=Telekom Security TLS RSA Root 2023,O=Deutsche Telekom Security GmbH,C=DE +# Serial Number:21:9c:54:2d:e8:f6:ec:71:77:fa:4e:e8:c3:70:57:97 +# Subject: CN=Telekom Security TLS RSA Root 2023,O=Deutsche Telekom Security GmbH,C=DE +# Not Valid Before: Tue Mar 28 12:16:45 2023 +# Not Valid After : Fri Mar 27 23:59:59 2048 +# Fingerprint (SHA-256): EF:C6:5C:AD:BB:59:AD:B6:EF:E8:4D:A2:23:11:B3:56:24:B7:1B:3B:1E:A0:DA:8B:66:55:17:4E:C8:97:86:46 +# Fingerprint (SHA1): 54:D3:AC:B3:BD:57:56:F6:85:9D:CE:E5:C3:21:E2:D4:AD:83:D0:93 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Telekom Security TLS RSA Root 2023" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\124\323\254\263\275\127\126\366\205\235\316\345\303\041\342\324 +\255\203\320\223 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\277\133\353\124\100\315\110\161\304\040\215\175\336\012\102\362 +END +CKA_ISSUER MULTILINE_OCTAL +\060\143\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\047\060\045\006\003\125\004\012\014\036\104\145\165\164\163\143 +\150\145\040\124\145\154\145\153\157\155\040\123\145\143\165\162 +\151\164\171\040\107\155\142\110\061\053\060\051\006\003\125\004 +\003\014\042\124\145\154\145\153\157\155\040\123\145\143\165\162 +\151\164\171\040\124\114\123\040\122\123\101\040\122\157\157\164 +\040\062\060\062\063 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\041\234\124\055\350\366\354\161\167\372\116\350\303\160 +\127\227 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "TWCA CYBER Root CA" +# +# Issuer: CN=TWCA CYBER Root CA,OU=Root CA,O=TAIWAN-CA,C=TW +# Serial Number:40:01:34:8c:c2:00:00:00:00:00:00:00:01:3c:f2:c6 +# Subject: CN=TWCA CYBER Root CA,OU=Root CA,O=TAIWAN-CA,C=TW +# Not Valid Before: Tue Nov 22 06:54:29 2022 +# Not Valid After : Fri Nov 22 15:59:59 2047 +# Fingerprint (SHA-256): 3F:63:BB:28:14:BE:17:4E:C8:B6:43:9C:F0:8D:6D:56:F0:B7:C4:05:88:3A:56:48:A3:34:42:4D:6B:3E:C5:58 +# Fingerprint (SHA1): F6:B1:1C:1A:83:38:E9:7B:DB:B3:A8:C8:33:24:E0:2D:9C:7F:26:66 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "TWCA CYBER Root CA" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\120\061\013\060\011\006\003\125\004\006\023\002\124\127\061 +\022\060\020\006\003\125\004\012\023\011\124\101\111\127\101\116 +\055\103\101\061\020\060\016\006\003\125\004\013\023\007\122\157 +\157\164\040\103\101\061\033\060\031\006\003\125\004\003\023\022 +\124\127\103\101\040\103\131\102\105\122\040\122\157\157\164\040 +\103\101 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\120\061\013\060\011\006\003\125\004\006\023\002\124\127\061 +\022\060\020\006\003\125\004\012\023\011\124\101\111\127\101\116 +\055\103\101\061\020\060\016\006\003\125\004\013\023\007\122\157 +\157\164\040\103\101\061\033\060\031\006\003\125\004\003\023\022 +\124\127\103\101\040\103\131\102\105\122\040\122\157\157\164\040 +\103\101 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\100\001\064\214\302\000\000\000\000\000\000\000\001\074 +\362\306 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\215\060\202\003\165\240\003\002\001\002\002\020\100 +\001\064\214\302\000\000\000\000\000\000\000\001\074\362\306\060 +\015\006\011\052\206\110\206\367\015\001\001\014\005\000\060\120 +\061\013\060\011\006\003\125\004\006\023\002\124\127\061\022\060 +\020\006\003\125\004\012\023\011\124\101\111\127\101\116\055\103 +\101\061\020\060\016\006\003\125\004\013\023\007\122\157\157\164 +\040\103\101\061\033\060\031\006\003\125\004\003\023\022\124\127 +\103\101\040\103\131\102\105\122\040\122\157\157\164\040\103\101 +\060\036\027\015\062\062\061\061\062\062\060\066\065\064\062\071 +\132\027\015\064\067\061\061\062\062\061\065\065\071\065\071\132 +\060\120\061\013\060\011\006\003\125\004\006\023\002\124\127\061 +\022\060\020\006\003\125\004\012\023\011\124\101\111\127\101\116 +\055\103\101\061\020\060\016\006\003\125\004\013\023\007\122\157 +\157\164\040\103\101\061\033\060\031\006\003\125\004\003\023\022 +\124\127\103\101\040\103\131\102\105\122\040\122\157\157\164\040 +\103\101\060\202\002\042\060\015\006\011\052\206\110\206\367\015 +\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202 +\002\001\000\306\370\312\036\331\011\040\176\035\154\116\316\217 +\343\107\063\104\234\307\311\151\252\072\133\170\356\160\322\222 +\370\004\263\122\122\035\147\162\050\241\337\213\135\225\012\376 +\352\315\355\367\051\316\360\157\177\254\315\075\357\263\034\105 +\152\367\050\220\361\141\127\305\014\304\243\120\135\336\324\265 +\313\031\312\200\271\165\316\051\316\322\205\042\354\002\143\314 +\104\060\040\332\352\221\133\126\346\035\034\325\235\146\307\077 +\337\206\312\113\123\304\331\215\262\035\352\370\334\047\123\243 +\107\341\141\314\175\265\260\370\356\163\221\305\316\163\157\316 +\356\020\037\032\006\317\351\047\140\305\117\031\344\353\316\042 +\046\105\327\140\231\335\316\117\067\340\177\347\143\255\260\270 +\131\270\320\006\150\065\140\323\066\256\161\103\004\361\151\145 +\170\174\363\037\363\312\050\237\132\040\225\146\264\315\267\356 +\217\170\244\105\030\351\046\057\215\233\051\050\261\244\267\072 +\155\271\324\034\070\162\105\130\261\136\353\360\050\233\267\202 +\312\375\317\326\063\017\237\373\227\236\261\034\234\236\352\137 +\136\333\252\335\124\351\060\041\050\155\216\171\363\165\222\214 +\046\376\334\305\366\303\260\337\104\131\103\243\266\003\050\366 +\010\060\252\015\063\341\357\234\251\007\042\343\131\133\100\217 +\332\210\267\151\010\250\267\043\056\104\011\131\067\133\307\343 +\027\362\042\353\156\071\122\305\336\124\247\230\311\113\040\225 +\334\106\211\137\264\022\371\205\051\216\353\310\047\025\040\300 +\113\324\314\174\014\154\064\014\046\233\046\061\246\074\247\366 +\331\320\113\242\144\377\073\231\101\162\301\340\160\227\361\044 +\273\053\304\164\042\261\254\153\042\062\044\323\170\052\300\300 +\241\057\361\122\005\311\077\357\166\146\342\105\330\015\075\255 +\225\310\307\211\046\310\017\256\247\003\056\373\301\137\372\040 +\341\160\255\260\145\040\067\063\140\260\325\257\327\014\034\302 +\220\160\327\112\030\274\176\001\260\260\353\025\036\104\006\315 +\244\117\350\014\321\303\040\020\341\124\145\236\266\121\320\032 +\166\153\102\132\130\166\064\352\267\067\031\256\056\165\371\226 +\345\301\131\367\224\127\051\045\215\072\114\253\115\232\101\320 +\137\046\003\002\003\001\000\001\243\143\060\141\060\016\006\003 +\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003 +\125\035\023\001\001\377\004\005\060\003\001\001\377\060\037\006 +\003\125\035\043\004\030\060\026\200\024\235\205\141\024\174\301 +\142\157\227\150\344\117\067\100\341\255\340\015\126\067\060\035 +\006\003\125\035\016\004\026\004\024\235\205\141\024\174\301\142 +\157\227\150\344\117\067\100\341\255\340\015\126\067\060\015\006 +\011\052\206\110\206\367\015\001\001\014\005\000\003\202\002\001 +\000\144\217\172\304\142\016\265\210\314\270\307\206\016\241\112 +\026\315\160\013\267\247\205\013\263\166\266\017\247\377\010\213 +\013\045\317\250\324\203\165\052\270\226\210\266\373\337\055\055 +\264\151\123\041\065\127\326\211\115\163\277\151\217\160\243\141 +\314\232\333\036\232\340\040\370\154\273\233\042\235\135\204\061 +\232\054\212\335\152\241\327\050\151\312\376\166\125\172\106\147 +\353\314\103\210\026\242\003\326\271\027\370\031\154\155\043\002 +\177\361\137\320\012\051\043\073\321\252\012\355\251\027\046\124 +\012\115\302\245\115\370\305\375\270\201\317\053\054\170\243\147 +\114\251\007\232\363\337\136\373\174\365\211\315\164\227\141\020 +\152\007\053\201\132\322\216\267\347\040\321\040\156\044\250\204 +\047\241\127\254\252\125\130\057\334\331\312\372\150\004\236\355 +\104\044\371\164\100\073\043\063\253\203\132\030\046\102\266\155 +\124\265\026\140\060\154\261\240\370\270\101\240\135\111\111\322 +\145\005\072\352\376\235\141\274\206\331\277\336\323\272\072\261 +\177\176\222\064\216\311\000\156\334\230\275\334\354\200\005\255 +\002\075\337\145\355\013\003\367\367\026\204\004\061\272\223\224 +\330\362\022\370\212\343\277\102\257\247\324\315\021\027\026\310 +\102\035\024\250\102\366\322\100\206\240\117\043\312\226\105\126 +\140\006\315\267\125\001\246\001\224\145\376\156\005\011\272\264 +\244\252\342\357\130\276\275\047\126\330\357\163\161\133\104\063 +\362\232\162\352\260\136\076\156\251\122\133\354\160\155\265\207 +\217\067\136\074\214\234\316\344\360\316\014\147\101\314\316\366 +\200\253\116\314\114\126\365\301\141\131\223\264\076\246\332\270 +\067\022\237\052\062\343\213\270\041\354\303\053\145\014\357\042 +\336\210\051\073\114\327\372\376\267\341\107\276\234\076\076\203 +\373\121\135\365\150\367\056\041\205\334\277\361\132\342\174\327 +\305\344\203\301\152\353\272\200\132\336\134\055\160\166\370\310 +\345\207\207\312\240\235\241\345\042\022\047\017\104\075\035\154 +\352\324\302\213\057\157\171\253\177\120\246\304\031\247\241\172 +\267\226\371\301\037\142\132\242\103\007\100\136\046\306\254\355 +\256\160\026\305\252\312\162\212\115\260\317\001\213\003\077\156 +\327 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "TWCA CYBER Root CA" +# Issuer: CN=TWCA CYBER Root CA,OU=Root CA,O=TAIWAN-CA,C=TW +# Serial Number:40:01:34:8c:c2:00:00:00:00:00:00:00:01:3c:f2:c6 +# Subject: CN=TWCA CYBER Root CA,OU=Root CA,O=TAIWAN-CA,C=TW +# Not Valid Before: Tue Nov 22 06:54:29 2022 +# Not Valid After : Fri Nov 22 15:59:59 2047 +# Fingerprint (SHA-256): 3F:63:BB:28:14:BE:17:4E:C8:B6:43:9C:F0:8D:6D:56:F0:B7:C4:05:88:3A:56:48:A3:34:42:4D:6B:3E:C5:58 +# Fingerprint (SHA1): F6:B1:1C:1A:83:38:E9:7B:DB:B3:A8:C8:33:24:E0:2D:9C:7F:26:66 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "TWCA CYBER Root CA" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\366\261\034\032\203\070\351\173\333\263\250\310\063\044\340\055 +\234\177\046\146 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\013\063\240\227\122\225\324\251\375\273\333\156\243\125\133\121 +END +CKA_ISSUER MULTILINE_OCTAL +\060\120\061\013\060\011\006\003\125\004\006\023\002\124\127\061 +\022\060\020\006\003\125\004\012\023\011\124\101\111\127\101\116 +\055\103\101\061\020\060\016\006\003\125\004\013\023\007\122\157 +\157\164\040\103\101\061\033\060\031\006\003\125\004\003\023\022 +\124\127\103\101\040\103\131\102\105\122\040\122\157\157\164\040 +\103\101 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\100\001\064\214\302\000\000\000\000\000\000\000\001\074 +\362\306 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "SSL.com TLS RSA Root CA 2022" +# +# Issuer: CN=SSL.com TLS RSA Root CA 2022,O=SSL Corporation,C=US +# Serial Number:6f:be:da:ad:73:bd:08:40:e2:8b:4d:be:d4:f7:5b:91 +# Subject: CN=SSL.com TLS RSA Root CA 2022,O=SSL Corporation,C=US +# Not Valid Before: Thu Aug 25 16:34:22 2022 +# Not Valid After : Sun Aug 19 16:34:21 2046 +# Fingerprint (SHA-256): 8F:AF:7D:2E:2C:B4:70:9B:B8:E0:B3:36:66:BF:75:A5:DD:45:B5:DE:48:0F:8E:A8:D4:BF:E6:BE:BC:17:F2:ED +# Fingerprint (SHA1): EC:2C:83:40:72:AF:26:95:10:FF:0E:F2:03:EE:31:70:F6:78:9D:CA +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "SSL.com TLS RSA Root CA 2022" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\030\060\026\006\003\125\004\012\014\017\123\123\114\040\103\157 +\162\160\157\162\141\164\151\157\156\061\045\060\043\006\003\125 +\004\003\014\034\123\123\114\056\143\157\155\040\124\114\123\040 +\122\123\101\040\122\157\157\164\040\103\101\040\062\060\062\062 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\030\060\026\006\003\125\004\012\014\017\123\123\114\040\103\157 +\162\160\157\162\141\164\151\157\156\061\045\060\043\006\003\125 +\004\003\014\034\123\123\114\056\143\157\155\040\124\114\123\040 +\122\123\101\040\122\157\157\164\040\103\101\040\062\060\062\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\157\276\332\255\163\275\010\100\342\213\115\276\324\367 +\133\221 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\211\060\202\003\161\240\003\002\001\002\002\020\157 +\276\332\255\163\275\010\100\342\213\115\276\324\367\133\221\060 +\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\116 +\061\013\060\011\006\003\125\004\006\023\002\125\123\061\030\060 +\026\006\003\125\004\012\014\017\123\123\114\040\103\157\162\160 +\157\162\141\164\151\157\156\061\045\060\043\006\003\125\004\003 +\014\034\123\123\114\056\143\157\155\040\124\114\123\040\122\123 +\101\040\122\157\157\164\040\103\101\040\062\060\062\062\060\036 +\027\015\062\062\060\070\062\065\061\066\063\064\062\062\132\027 +\015\064\066\060\070\061\071\061\066\063\064\062\061\132\060\116 +\061\013\060\011\006\003\125\004\006\023\002\125\123\061\030\060 +\026\006\003\125\004\012\014\017\123\123\114\040\103\157\162\160 +\157\162\141\164\151\157\156\061\045\060\043\006\003\125\004\003 +\014\034\123\123\114\056\143\157\155\040\124\114\123\040\122\123 +\101\040\122\157\157\164\040\103\101\040\062\060\062\062\060\202 +\002\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005 +\000\003\202\002\017\000\060\202\002\012\002\202\002\001\000\320 +\244\011\162\117\100\210\022\141\076\065\043\236\356\366\164\317 +\057\173\130\075\316\074\015\020\050\220\057\227\367\214\110\330 +\240\330\045\261\114\260\021\114\027\163\120\320\042\112\143\273 +\201\323\051\156\325\265\011\076\046\030\177\262\022\177\223\230 +\267\257\360\066\277\362\356\030\236\234\073\122\305\107\031\135 +\164\363\144\146\325\135\307\150\264\277\033\034\006\243\274\217 +\100\043\266\036\306\204\275\121\304\033\071\301\225\322\051\354 +\113\256\173\055\277\071\375\264\142\336\226\173\101\306\234\240 +\340\006\162\373\360\007\227\011\071\201\164\257\367\064\131\021 +\127\012\302\133\301\044\364\061\163\060\202\306\235\272\002\367 +\076\174\104\137\203\015\363\361\335\040\151\026\011\120\342\324 +\125\266\340\200\162\166\156\114\107\267\165\125\131\264\123\164 +\331\224\306\101\255\130\212\061\146\017\036\242\033\051\100\116 +\057\337\173\346\026\054\055\374\277\354\363\264\372\276\030\366 +\233\111\324\356\005\156\331\064\363\234\361\354\001\213\321\040 +\306\017\240\265\274\027\116\110\173\121\302\374\351\134\151\067 +\107\146\263\150\370\025\050\360\271\323\244\025\314\132\117\272 +\122\160\243\022\105\335\306\272\116\373\302\320\367\250\122\047 +\155\156\171\265\214\374\173\214\301\026\114\356\200\177\276\360 +\166\276\101\123\022\063\256\132\070\102\253\327\017\076\101\215 +\166\007\062\325\253\211\366\116\147\331\261\102\165\043\156\363 +\315\102\262\374\125\365\123\207\027\073\300\063\130\361\122\322 +\371\200\244\360\350\360\073\213\070\314\244\306\220\177\017\234 +\375\213\321\243\317\332\203\247\151\311\120\066\325\134\005\322 +\012\101\164\333\143\021\067\301\245\240\226\113\036\214\026\022 +\167\256\224\064\173\036\177\302\146\000\344\252\203\352\212\220 +\255\316\066\104\115\321\121\351\274\037\363\152\005\375\300\164 +\037\045\031\100\121\156\352\202\121\100\337\233\271\010\052\006 +\002\325\043\034\023\326\351\333\333\306\260\172\313\173\047\233 +\373\340\325\106\044\355\020\113\143\113\245\005\217\272\270\035 +\053\246\372\221\342\222\122\275\354\353\147\227\155\232\055\237 +\201\062\005\147\062\373\110\010\077\331\045\270\004\045\057\002 +\003\001\000\001\243\143\060\141\060\017\006\003\125\035\023\001 +\001\377\004\005\060\003\001\001\377\060\037\006\003\125\035\043 +\004\030\060\026\200\024\373\056\067\356\343\204\172\047\056\315 +\031\065\261\063\174\377\324\104\102\271\060\035\006\003\125\035 +\016\004\026\004\024\373\056\067\356\343\204\172\047\056\315\031 +\065\261\063\174\377\324\104\102\271\060\016\006\003\125\035\017 +\001\001\377\004\004\003\002\001\206\060\015\006\011\052\206\110 +\206\367\015\001\001\013\005\000\003\202\002\001\000\215\211\155 +\204\105\030\361\117\263\240\357\150\244\300\035\254\060\274\147 +\146\260\232\315\266\253\042\031\146\323\073\101\265\020\235\020 +\272\162\156\051\044\040\034\001\231\142\323\226\340\342\373\014 +\102\327\341\132\304\226\115\124\315\217\312\103\123\375\052\270 +\352\370\145\312\001\302\255\140\150\006\237\071\032\121\331\340 +\215\046\371\013\116\245\123\045\172\043\244\034\316\010\033\337 +\107\210\262\255\076\340\047\207\213\111\214\037\251\107\130\173 +\226\362\210\035\030\256\263\321\246\012\224\372\333\323\345\070 +\012\153\171\022\063\373\112\131\067\026\100\016\273\336\365\211 +\014\361\154\323\367\121\153\136\065\365\333\300\046\352\022\163 +\116\251\221\220\246\027\303\154\057\070\324\243\162\224\103\054 +\142\341\116\134\062\075\275\114\175\031\107\242\303\111\347\226 +\077\217\232\323\073\344\021\330\213\003\334\366\266\140\125\030 +\246\201\121\363\341\250\025\152\353\340\013\360\024\061\326\271 +\214\105\072\250\020\330\360\271\047\353\367\313\172\357\005\162 +\226\265\304\217\226\163\304\350\126\163\234\274\151\121\143\274 +\357\147\034\103\032\137\167\031\037\030\370\034\045\051\371\111 +\231\051\266\222\075\242\203\067\261\040\221\250\233\060\351\152 +\154\264\043\223\145\004\253\021\363\016\035\123\044\111\123\035 +\241\077\235\110\222\021\342\175\015\117\365\327\275\242\130\076 +\170\235\036\037\053\376\041\273\032\023\266\261\050\144\375\260 +\002\000\307\154\200\242\275\026\120\040\017\162\201\137\314\224 +\377\273\231\346\272\220\313\352\371\306\014\302\256\305\031\316 +\063\241\153\134\273\176\174\064\127\027\255\360\077\256\315\352 +\257\231\354\054\124\176\214\316\056\022\126\110\357\027\073\077 +\112\136\140\322\334\164\066\274\245\103\143\313\017\133\243\002 +\126\011\236\044\054\341\206\201\214\376\253\027\054\372\310\342 +\062\032\072\377\205\010\311\203\237\362\112\110\020\124\167\067 +\355\242\274\100\276\344\020\164\367\344\133\273\271\363\211\371 +\217\101\330\307\344\120\220\065\200\076\034\270\115\220\323\324 +\367\303\260\241\176\204\312\167\222\061\054\270\220\261\202\172 +\164\116\233\023\046\264\325\120\146\124\170\256\140 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "SSL.com TLS RSA Root CA 2022" +# Issuer: CN=SSL.com TLS RSA Root CA 2022,O=SSL Corporation,C=US +# Serial Number:6f:be:da:ad:73:bd:08:40:e2:8b:4d:be:d4:f7:5b:91 +# Subject: CN=SSL.com TLS RSA Root CA 2022,O=SSL Corporation,C=US +# Not Valid Before: Thu Aug 25 16:34:22 2022 +# Not Valid After : Sun Aug 19 16:34:21 2046 +# Fingerprint (SHA-256): 8F:AF:7D:2E:2C:B4:70:9B:B8:E0:B3:36:66:BF:75:A5:DD:45:B5:DE:48:0F:8E:A8:D4:BF:E6:BE:BC:17:F2:ED +# Fingerprint (SHA1): EC:2C:83:40:72:AF:26:95:10:FF:0E:F2:03:EE:31:70:F6:78:9D:CA +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "SSL.com TLS RSA Root CA 2022" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\354\054\203\100\162\257\046\225\020\377\016\362\003\356\061\160 +\366\170\235\312 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\330\116\306\131\060\330\376\240\326\172\132\054\054\151\170\332 +END +CKA_ISSUER MULTILINE_OCTAL +\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\030\060\026\006\003\125\004\012\014\017\123\123\114\040\103\157 +\162\160\157\162\141\164\151\157\156\061\045\060\043\006\003\125 +\004\003\014\034\123\123\114\056\143\157\155\040\124\114\123\040 +\122\123\101\040\122\157\157\164\040\103\101\040\062\060\062\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\157\276\332\255\163\275\010\100\342\213\115\276\324\367 +\133\221 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "SSL.com TLS ECC Root CA 2022" +# +# Issuer: CN=SSL.com TLS ECC Root CA 2022,O=SSL Corporation,C=US +# Serial Number:14:03:f5:ab:fb:37:8b:17:40:5b:e2:43:b2:a5:d1:c4 +# Subject: CN=SSL.com TLS ECC Root CA 2022,O=SSL Corporation,C=US +# Not Valid Before: Thu Aug 25 16:33:48 2022 +# Not Valid After : Sun Aug 19 16:33:47 2046 +# Fingerprint (SHA-256): C3:2F:FD:9F:46:F9:36:D1:6C:36:73:99:09:59:43:4B:9A:D6:0A:AF:BB:9E:7C:F3:36:54:F1:44:CC:1B:A1:43 +# Fingerprint (SHA1): 9F:5F:D9:1A:54:6D:F5:0C:71:F0:EE:7A:BD:17:49:98:84:73:E2:39 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "SSL.com TLS ECC Root CA 2022" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\030\060\026\006\003\125\004\012\014\017\123\123\114\040\103\157 +\162\160\157\162\141\164\151\157\156\061\045\060\043\006\003\125 +\004\003\014\034\123\123\114\056\143\157\155\040\124\114\123\040 +\105\103\103\040\122\157\157\164\040\103\101\040\062\060\062\062 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\030\060\026\006\003\125\004\012\014\017\123\123\114\040\103\157 +\162\160\157\162\141\164\151\157\156\061\045\060\043\006\003\125 +\004\003\014\034\123\123\114\056\143\157\155\040\124\114\123\040 +\105\103\103\040\122\157\157\164\040\103\101\040\062\060\062\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\024\003\365\253\373\067\213\027\100\133\342\103\262\245 +\321\304 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\072\060\202\001\300\240\003\002\001\002\002\020\024 +\003\365\253\373\067\213\027\100\133\342\103\262\245\321\304\060 +\012\006\010\052\206\110\316\075\004\003\003\060\116\061\013\060 +\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003 +\125\004\012\014\017\123\123\114\040\103\157\162\160\157\162\141 +\164\151\157\156\061\045\060\043\006\003\125\004\003\014\034\123 +\123\114\056\143\157\155\040\124\114\123\040\105\103\103\040\122 +\157\157\164\040\103\101\040\062\060\062\062\060\036\027\015\062 +\062\060\070\062\065\061\066\063\063\064\070\132\027\015\064\066 +\060\070\061\071\061\066\063\063\064\067\132\060\116\061\013\060 +\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003 +\125\004\012\014\017\123\123\114\040\103\157\162\160\157\162\141 +\164\151\157\156\061\045\060\043\006\003\125\004\003\014\034\123 +\123\114\056\143\157\155\040\124\114\123\040\105\103\103\040\122 +\157\157\164\040\103\101\040\062\060\062\062\060\166\060\020\006 +\007\052\206\110\316\075\002\001\006\005\053\201\004\000\042\003 +\142\000\004\105\051\065\163\372\302\270\043\316\024\175\250\261 +\115\240\133\066\356\052\054\123\303\140\011\065\262\044\146\046 +\151\300\263\225\326\135\222\100\031\016\306\245\023\160\364\357 +\022\121\050\135\347\314\275\371\074\205\301\317\224\220\311\053 +\316\222\102\130\131\147\375\224\047\020\144\214\117\004\261\115 +\111\344\173\117\233\365\347\010\370\003\210\367\247\303\222\113 +\031\124\201\243\143\060\141\060\017\006\003\125\035\023\001\001 +\377\004\005\060\003\001\001\377\060\037\006\003\125\035\043\004 +\030\060\026\200\024\211\217\057\243\350\053\240\024\124\173\363 +\126\270\046\137\147\070\013\234\320\060\035\006\003\125\035\016 +\004\026\004\024\211\217\057\243\350\053\240\024\124\173\363\126 +\270\046\137\147\070\013\234\320\060\016\006\003\125\035\017\001 +\001\377\004\004\003\002\001\206\060\012\006\010\052\206\110\316 +\075\004\003\003\003\150\000\060\145\002\060\125\343\042\126\351 +\327\222\044\130\117\036\224\062\017\014\002\066\302\375\254\164 +\062\116\341\373\034\200\210\243\314\373\327\353\053\377\067\175 +\360\355\327\236\165\152\065\166\122\105\340\002\061\000\307\215 +\157\102\040\217\276\266\115\131\355\167\115\051\304\040\040\105 +\144\206\072\120\306\304\255\055\223\365\030\175\162\355\251\317 +\304\254\127\066\050\010\145\337\074\171\146\176\240\352 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "SSL.com TLS ECC Root CA 2022" +# Issuer: CN=SSL.com TLS ECC Root CA 2022,O=SSL Corporation,C=US +# Serial Number:14:03:f5:ab:fb:37:8b:17:40:5b:e2:43:b2:a5:d1:c4 +# Subject: CN=SSL.com TLS ECC Root CA 2022,O=SSL Corporation,C=US +# Not Valid Before: Thu Aug 25 16:33:48 2022 +# Not Valid After : Sun Aug 19 16:33:47 2046 +# Fingerprint (SHA-256): C3:2F:FD:9F:46:F9:36:D1:6C:36:73:99:09:59:43:4B:9A:D6:0A:AF:BB:9E:7C:F3:36:54:F1:44:CC:1B:A1:43 +# Fingerprint (SHA1): 9F:5F:D9:1A:54:6D:F5:0C:71:F0:EE:7A:BD:17:49:98:84:73:E2:39 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "SSL.com TLS ECC Root CA 2022" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\237\137\331\032\124\155\365\014\161\360\356\172\275\027\111\230 +\204\163\342\071 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\231\327\134\361\121\066\314\351\316\331\031\056\167\161\126\305 +END +CKA_ISSUER MULTILINE_OCTAL +\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\030\060\026\006\003\125\004\012\014\017\123\123\114\040\103\157 +\162\160\157\162\141\164\151\157\156\061\045\060\043\006\003\125 +\004\003\014\034\123\123\114\056\143\157\155\040\124\114\123\040 +\105\103\103\040\122\157\157\164\040\103\101\040\062\060\062\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\024\003\365\253\373\067\213\027\100\133\342\103\262\245 +\321\304 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "MOIS SSL Root CA" +# +# Issuer: CN=MOIS SSL Root CA,O=Ministry of the Interior and Safety,C=KR +# Serial Number:04:49:ef:c3:eb:1a:24:23:5a:08:c1:dd:3b:70:62:c1:16:74:88:f2 +# Subject: CN=MOIS SSL Root CA,O=Ministry of the Interior and Safety,C=KR +# Not Valid Before: Wed Feb 22 06:38:27 2023 +# Not Valid After : Sun Feb 22 01:00:00 2043 +# Fingerprint (SHA-256): 1C:F3:41:AE:35:34:1A:C3:AE:1D:C6:8D:5B:10:DC:0C:9D:C1:30:76:56:F7:5F:D9:2C:A2:C6:84:89:D5:2E:9A +# Fingerprint (SHA1): 65:F9:90:1C:54:9C:9B:EC:6B:F4:22:B7:FD:8E:E3:82:F6:26:18:6B +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "MOIS SSL Root CA" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\126\061\013\060\011\006\003\125\004\006\023\002\113\122\061 +\054\060\052\006\003\125\004\012\014\043\115\151\156\151\163\164 +\162\171\040\157\146\040\164\150\145\040\111\156\164\145\162\151 +\157\162\040\141\156\144\040\123\141\146\145\164\171\061\031\060 +\027\006\003\125\004\003\014\020\115\117\111\123\040\123\123\114 +\040\122\157\157\164\040\103\101 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\126\061\013\060\011\006\003\125\004\006\023\002\113\122\061 +\054\060\052\006\003\125\004\012\014\043\115\151\156\151\163\164 +\162\171\040\157\146\040\164\150\145\040\111\156\164\145\162\151 +\157\162\040\141\156\144\040\123\141\146\145\164\171\061\031\060 +\027\006\003\125\004\003\014\020\115\117\111\123\040\123\123\114 +\040\122\157\157\164\040\103\101 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\004\111\357\303\353\032\044\043\132\010\301\335\073\160 +\142\301\026\164\210\362 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\174\060\202\003\144\240\003\002\001\002\002\024\004 +\111\357\303\353\032\044\043\132\010\301\335\073\160\142\301\026 +\164\210\362\060\015\006\011\052\206\110\206\367\015\001\001\013 +\005\000\060\126\061\013\060\011\006\003\125\004\006\023\002\113 +\122\061\054\060\052\006\003\125\004\012\014\043\115\151\156\151 +\163\164\162\171\040\157\146\040\164\150\145\040\111\156\164\145 +\162\151\157\162\040\141\156\144\040\123\141\146\145\164\171\061 +\031\060\027\006\003\125\004\003\014\020\115\117\111\123\040\123 +\123\114\040\122\157\157\164\040\103\101\060\036\027\015\062\063 +\060\062\062\062\060\066\063\070\062\067\132\027\015\064\063\060 +\062\062\062\060\061\060\060\060\060\132\060\126\061\013\060\011 +\006\003\125\004\006\023\002\113\122\061\054\060\052\006\003\125 +\004\012\014\043\115\151\156\151\163\164\162\171\040\157\146\040 +\164\150\145\040\111\156\164\145\162\151\157\162\040\141\156\144 +\040\123\141\146\145\164\171\061\031\060\027\006\003\125\004\003 +\014\020\115\117\111\123\040\123\123\114\040\122\157\157\164\040 +\103\101\060\202\002\042\060\015\006\011\052\206\110\206\367\015 +\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202 +\002\001\000\277\016\363\146\227\324\206\136\007\177\353\305\346 +\225\013\274\071\163\134\024\175\070\322\237\126\070\030\247\372 +\250\340\017\211\041\304\054\261\003\371\115\200\257\204\141\260 +\116\145\240\274\046\332\111\353\245\211\153\244\211\344\112\003 +\300\041\072\046\122\070\074\031\262\001\265\220\073\227\330\045 +\161\175\100\043\221\110\064\304\203\123\314\071\347\055\016\211 +\040\175\372\375\331\024\131\176\054\373\117\177\240\213\321\341 +\311\242\341\112\355\200\052\326\217\347\144\033\320\274\106\007 +\347\104\122\273\221\325\335\102\165\072\014\346\163\247\211\355 +\253\200\241\026\305\160\130\246\250\352\300\066\321\315\262\260 +\331\242\177\336\365\072\154\352\221\322\252\267\304\311\037\137 +\204\242\145\325\060\040\135\047\077\114\132\246\036\110\241\127 +\255\140\152\341\276\071\301\260\115\001\242\200\245\073\220\301 +\351\164\026\146\104\306\314\164\027\134\266\126\303\364\205\147 +\306\255\166\116\260\111\161\161\327\060\215\201\256\276\052\373 +\034\204\342\016\364\176\204\047\244\336\247\031\227\121\276\015 +\202\241\035\261\247\004\232\276\235\070\344\103\153\013\166\141 +\022\030\366\224\246\251\015\200\021\040\046\254\246\326\064\121 +\132\336\313\304\114\372\156\222\013\273\123\322\120\133\127\122 +\164\341\113\220\013\132\224\141\205\116\105\264\077\374\255\362 +\242\006\041\040\253\022\063\004\003\315\134\135\177\011\337\351 +\325\153\335\272\043\132\045\117\203\213\030\040\370\035\203\007 +\110\254\023\172\050\055\074\060\073\321\263\153\015\321\077\110 +\365\143\350\151\313\274\155\266\070\122\036\367\134\265\251\323 +\347\370\014\137\337\156\254\052\361\347\272\300\014\375\176\130 +\201\376\056\153\130\230\026\231\276\052\271\205\336\062\235\366 +\337\120\261\010\227\015\050\260\305\347\347\005\220\221\264\275 +\033\206\137\101\057\303\347\206\061\315\303\051\003\022\127\217 +\204\010\245\021\245\146\027\021\346\020\001\243\335\152\170\047 +\252\025\162\302\052\342\262\006\253\107\101\246\024\136\150\347 +\313\135\146\246\323\370\331\332\247\363\376\206\164\070\000\060 +\156\312\137\005\166\366\023\100\264\357\030\340\310\223\241\350 +\033\004\127\002\003\001\000\001\243\102\060\100\060\035\006\003 +\125\035\016\004\026\004\024\067\132\011\373\316\044\341\347\147 +\307\276\007\150\314\334\050\037\204\061\015\060\016\006\003\125 +\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003\125 +\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006\011 +\052\206\110\206\367\015\001\001\013\005\000\003\202\002\001\000 +\170\066\177\062\011\304\163\176\153\311\225\103\334\205\025\203 +\277\257\055\156\105\215\075\002\373\151\305\330\100\036\171\341 +\270\153\125\053\325\300\120\027\025\216\211\257\014\371\201\026 +\234\304\007\035\206\365\067\172\251\065\037\247\142\040\342\301 +\230\227\370\232\372\231\055\127\353\176\337\364\331\057\117\373 +\160\004\104\140\022\140\150\036\035\263\315\163\304\252\330\227 +\271\253\102\215\037\014\340\072\201\202\305\043\146\276\370\134 +\372\156\225\033\374\274\237\147\367\256\054\223\061\140\255\063 +\011\041\124\203\245\102\136\031\353\075\261\237\370\254\015\364 +\164\137\162\323\010\006\267\053\027\173\140\174\054\267\066\141 +\037\100\215\144\157\216\361\271\263\345\162\326\166\275\015\362 +\046\134\146\253\153\204\223\225\322\265\314\117\216\261\152\062 +\223\351\056\243\113\026\376\150\023\320\263\231\333\256\054\215 +\124\331\302\024\020\136\145\100\014\252\367\305\367\303\021\262 +\216\014\135\255\122\352\340\272\312\120\247\317\174\101\135\255 +\362\043\233\027\277\261\054\003\367\216\141\243\066\247\323\227 +\161\130\132\365\135\336\124\056\063\262\363\011\100\217\331\326 +\257\066\204\322\306\072\331\357\165\045\240\354\317\112\201\323 +\175\002\032\366\357\321\141\307\210\142\007\000\374\350\305\053 +\163\014\140\076\057\231\102\335\024\222\062\271\321\111\021\053 +\225\316\110\112\217\217\054\162\257\037\037\033\036\223\365\060 +\314\044\151\305\144\360\055\256\330\120\275\370\146\041\232\156 +\154\261\266\032\314\005\071\214\024\334\327\275\241\332\053\002 +\113\271\300\050\055\322\220\200\225\171\224\240\247\041\135\373 +\315\030\017\056\323\063\017\070\052\167\054\315\224\003\166\333 +\044\247\051\065\123\360\124\155\017\142\121\062\072\256\225\177 +\314\221\155\266\122\326\365\106\206\030\220\166\031\354\245\366 +\266\141\352\114\072\054\171\306\043\021\031\053\352\320\144\020 +\174\116\113\154\036\042\120\066\360\161\115\036\141\377\112\112 +\331\357\203\162\225\166\276\035\244\311\372\303\164\126\265\170 +\076\212\350\267\253\235\172\274\037\211\203\341\351\132\005\253 +\070\113\374\247\123\276\022\321\014\220\037\000\203\161\010\345 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "MOIS SSL Root CA" +# Issuer: CN=MOIS SSL Root CA,O=Ministry of the Interior and Safety,C=KR +# Serial Number:04:49:ef:c3:eb:1a:24:23:5a:08:c1:dd:3b:70:62:c1:16:74:88:f2 +# Subject: CN=MOIS SSL Root CA,O=Ministry of the Interior and Safety,C=KR +# Not Valid Before: Wed Feb 22 06:38:27 2023 +# Not Valid After : Sun Feb 22 01:00:00 2043 +# Fingerprint (SHA-256): 1C:F3:41:AE:35:34:1A:C3:AE:1D:C6:8D:5B:10:DC:0C:9D:C1:30:76:56:F7:5F:D9:2C:A2:C6:84:89:D5:2E:9A +# Fingerprint (SHA1): 65:F9:90:1C:54:9C:9B:EC:6B:F4:22:B7:FD:8E:E3:82:F6:26:18:6B +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "MOIS SSL Root CA" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\145\371\220\034\124\234\233\354\153\364\042\267\375\216\343\202 +\366\046\030\153 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\132\324\026\077\277\033\110\265\371\156\245\276\312\074\227\340 +END +CKA_ISSUER MULTILINE_OCTAL +\060\126\061\013\060\011\006\003\125\004\006\023\002\113\122\061 +\054\060\052\006\003\125\004\012\014\043\115\151\156\151\163\164 +\162\171\040\157\146\040\164\150\145\040\111\156\164\145\162\151 +\157\162\040\141\156\144\040\123\141\146\145\164\171\061\031\060 +\027\006\003\125\004\003\014\020\115\117\111\123\040\123\123\114 +\040\122\157\157\164\040\103\101 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\004\111\357\303\353\032\044\043\132\010\301\335\073\160 +\142\301\026\164\210\362 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "Entrust 4K EV TLS Root CA - 2022" +# +# Issuer: CN=Entrust 4K EV TLS Root CA - 2022,O="Entrust, Inc.",C=US +# Serial Number:72:42:9d:8f:40:df:e4:6d:af:be:06:eb:b5:33:19:4c:e9:0d:6c:76 +# Subject: CN=Entrust 4K EV TLS Root CA - 2022,O="Entrust, Inc.",C=US +# Not Valid Before: Tue Dec 13 16:35:08 2022 +# Not Valid After : Sat Dec 07 16:35:08 2047 +# Fingerprint (SHA-256): 64:79:87:D9:8D:52:64:5D:A4:D3:DE:3B:80:77:1A:0C:E0:2B:9B:92:85:E6:E8:69:99:88:21:70:74:4E:C9:AA +# Fingerprint (SHA1): EA:DB:0A:B9:DC:79:38:02:14:35:FE:D1:3E:48:84:06:A1:AA:29:2A +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Entrust 4K EV TLS Root CA - 2022" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\120\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165\163 +\164\054\040\111\156\143\056\061\051\060\047\006\003\125\004\003 +\023\040\105\156\164\162\165\163\164\040\064\113\040\105\126\040 +\124\114\123\040\122\157\157\164\040\103\101\040\055\040\062\060 +\062\062 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\120\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165\163 +\164\054\040\111\156\143\056\061\051\060\047\006\003\125\004\003 +\023\040\105\156\164\162\165\163\164\040\064\113\040\105\126\040 +\124\114\123\040\122\157\157\164\040\103\101\040\055\040\062\060 +\062\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\162\102\235\217\100\337\344\155\257\276\006\353\265\063 +\031\114\351\015\154\166 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\221\060\202\003\171\240\003\002\001\002\002\024\162 +\102\235\217\100\337\344\155\257\276\006\353\265\063\031\114\351 +\015\154\166\060\015\006\011\052\206\110\206\367\015\001\001\014 +\005\000\060\120\061\013\060\011\006\003\125\004\006\023\002\125 +\123\061\026\060\024\006\003\125\004\012\023\015\105\156\164\162 +\165\163\164\054\040\111\156\143\056\061\051\060\047\006\003\125 +\004\003\023\040\105\156\164\162\165\163\164\040\064\113\040\105 +\126\040\124\114\123\040\122\157\157\164\040\103\101\040\055\040 +\062\060\062\062\060\036\027\015\062\062\061\062\061\063\061\066 +\063\065\060\070\132\027\015\064\067\061\062\060\067\061\066\063 +\065\060\070\132\060\120\061\013\060\011\006\003\125\004\006\023 +\002\125\123\061\026\060\024\006\003\125\004\012\023\015\105\156 +\164\162\165\163\164\054\040\111\156\143\056\061\051\060\047\006 +\003\125\004\003\023\040\105\156\164\162\165\163\164\040\064\113 +\040\105\126\040\124\114\123\040\122\157\157\164\040\103\101\040 +\055\040\062\060\062\062\060\202\002\042\060\015\006\011\052\206 +\110\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202 +\002\012\002\202\002\001\000\255\317\070\066\220\361\013\060\235 +\125\141\335\042\275\330\061\033\222\144\350\345\036\066\310\206 +\026\035\270\015\162\005\104\351\160\242\317\315\270\206\017\314 +\357\144\064\324\076\340\246\142\302\052\007\306\106\317\357\236 +\070\230\070\273\135\276\032\120\007\071\353\231\374\175\324\201 +\130\341\252\014\255\145\344\037\012\177\006\020\170\205\177\207 +\241\217\071\160\072\236\135\263\172\261\116\264\075\371\312\344 +\024\220\117\347\155\352\207\342\211\247\141\346\212\324\131\276 +\045\251\051\304\062\044\303\222\056\372\164\061\022\375\301\126 +\224\331\262\126\070\006\253\316\057\076\014\227\252\171\161\352 +\121\155\127\046\371\047\167\236\016\252\150\100\227\235\157\125 +\365\037\334\134\335\177\043\117\312\146\135\153\163\021\037\141 +\120\012\233\372\004\033\151\275\346\264\212\344\042\127\220\123 +\274\151\000\352\243\364\107\134\204\277\333\106\325\325\347\122 +\111\253\261\347\145\140\171\067\236\337\011\131\364\331\371\265 +\264\316\343\136\232\005\151\320\240\171\054\215\371\103\077\255 +\115\060\331\327\166\372\210\374\033\123\267\277\167\221\146\021 +\074\252\004\366\377\260\342\262\067\320\026\262\343\333\317\162 +\021\136\236\373\360\375\342\344\224\144\167\370\165\126\163\326 +\177\113\004\261\243\037\343\141\047\126\215\103\333\045\171\314 +\314\327\142\332\134\307\160\144\073\277\164\050\205\266\260\264 +\042\106\025\336\342\307\010\340\365\026\133\124\044\023\366\226 +\373\011\173\372\176\163\076\227\122\034\106\134\032\017\233\264 +\262\341\220\134\057\024\160\064\131\156\270\252\062\020\350\005 +\042\346\345\271\333\360\315\141\234\143\157\114\044\207\005\226 +\232\167\117\241\121\210\001\173\224\025\046\070\034\020\252\132 +\244\300\202\352\100\251\101\054\116\255\142\160\307\174\151\363 +\213\166\063\161\067\275\225\013\175\067\345\074\016\270\171\046 +\337\356\200\123\060\347\227\165\054\375\203\200\062\150\077\120 +\330\343\104\126\226\364\200\272\216\207\010\306\032\274\065\272 +\047\033\325\075\372\270\100\076\116\144\212\011\204\066\340\325 +\232\036\372\313\034\347\264\202\123\334\341\017\165\066\203\115 +\271\101\343\347\034\155\277\002\003\001\000\001\243\143\060\141 +\060\035\006\003\125\035\016\004\026\004\024\013\335\220\325\217 +\273\077\134\275\140\240\125\032\044\202\206\074\101\060\101\060 +\037\006\003\125\035\043\004\030\060\026\200\024\013\335\220\325 +\217\273\077\134\275\140\240\125\032\044\202\206\074\101\060\101 +\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001 +\377\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001 +\206\060\015\006\011\052\206\110\206\367\015\001\001\014\005\000 +\003\202\002\001\000\022\035\315\277\076\002\376\307\303\313\150 +\073\051\013\270\226\101\312\143\022\075\062\005\143\327\156\277 +\307\366\170\050\366\307\220\274\025\031\350\137\134\044\252\354 +\011\331\257\101\167\067\305\257\113\304\041\254\123\105\237\137 +\364\222\115\076\167\337\043\333\272\223\060\006\350\173\241\061 +\347\227\006\371\076\252\325\231\315\317\161\322\077\251\125\233 +\367\313\145\355\057\262\140\251\263\134\124\310\074\222\343\221 +\010\176\272\330\230\071\132\103\267\064\311\151\251\327\121\273 +\247\103\124\277\066\352\304\001\146\351\017\262\376\301\102\255 +\362\136\013\105\117\020\040\242\346\041\147\250\207\142\352\131 +\107\041\257\256\360\103\353\323\052\205\116\116\014\336\240\134 +\146\301\370\323\237\354\376\165\007\307\301\250\366\023\052\117 +\322\020\365\273\330\147\161\144\075\232\212\320\073\373\155\314 +\104\016\344\236\213\064\150\075\150\140\057\100\071\153\017\242 +\367\343\224\355\173\076\352\264\272\234\022\016\331\167\316\323 +\327\157\214\301\174\146\031\177\042\175\305\160\326\034\317\266 +\212\010\370\116\003\334\363\154\160\036\241\176\221\302\070\225 +\325\105\123\006\207\221\006\112\306\264\102\057\037\312\335\332 +\164\321\154\170\304\145\057\367\176\325\242\364\335\146\124\226 +\256\025\301\145\363\137\352\334\132\060\102\216\074\346\053\206 +\215\221\060\254\161\342\141\323\206\144\247\220\335\123\224\172 +\111\222\265\343\145\166\352\252\124\333\254\073\124\037\365\346 +\374\063\262\060\343\257\371\357\236\264\101\257\210\034\064\036 +\024\011\005\350\111\210\134\327\265\360\173\112\353\031\077\354 +\363\310\166\317\364\377\043\331\074\041\271\165\266\247\011\203 +\126\053\022\303\125\073\070\355\006\172\035\303\350\103\101\343 +\205\070\233\212\345\142\011\306\364\034\150\364\270\023\111\363 +\042\301\057\377\063\045\176\116\073\157\116\270\333\076\322\221 +\341\347\224\350\256\327\127\170\355\377\236\340\352\150\105\367 +\362\123\157\053\344\200\377\350\177\043\042\212\263\011\152\273 +\101\174\201\252\026\177\242\371\021\133\331\071\210\174\073\201 +\050\212\326\061\132\367\303\346\124\344\045\023\165\151\066\227 +\170\061\265\000\331 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "Entrust 4K EV TLS Root CA - 2022" +# Issuer: CN=Entrust 4K EV TLS Root CA - 2022,O="Entrust, Inc.",C=US +# Serial Number:72:42:9d:8f:40:df:e4:6d:af:be:06:eb:b5:33:19:4c:e9:0d:6c:76 +# Subject: CN=Entrust 4K EV TLS Root CA - 2022,O="Entrust, Inc.",C=US +# Not Valid Before: Tue Dec 13 16:35:08 2022 +# Not Valid After : Sat Dec 07 16:35:08 2047 +# Fingerprint (SHA-256): 64:79:87:D9:8D:52:64:5D:A4:D3:DE:3B:80:77:1A:0C:E0:2B:9B:92:85:E6:E8:69:99:88:21:70:74:4E:C9:AA +# Fingerprint (SHA1): EA:DB:0A:B9:DC:79:38:02:14:35:FE:D1:3E:48:84:06:A1:AA:29:2A +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Entrust 4K EV TLS Root CA - 2022" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\352\333\012\271\334\171\070\002\024\065\376\321\076\110\204\006 +\241\252\051\052 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\304\312\223\366\333\076\310\024\113\277\232\232\273\341\206\111 +END +CKA_ISSUER MULTILINE_OCTAL +\060\120\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165\163 +\164\054\040\111\156\143\056\061\051\060\047\006\003\125\004\003 +\023\040\105\156\164\162\165\163\164\040\064\113\040\105\126\040 +\124\114\123\040\122\157\157\164\040\103\101\040\055\040\062\060 +\062\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\162\102\235\217\100\337\344\155\257\276\006\353\265\063 +\031\114\351\015\154\166 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "AffirmTrust 4K TLS Root CA - 2022" +# +# Issuer: CN=AffirmTrust 4K TLS Root CA - 2022,O=AffirmTrust,C=CA +# Serial Number:42:61:72:3e:9b:00:a2:27:d3:bd:58:71:e2:d5:b4:04:68:74:73:a5 +# Subject: CN=AffirmTrust 4K TLS Root CA - 2022,O=AffirmTrust,C=CA +# Not Valid Before: Tue Dec 13 17:05:48 2022 +# Not Valid After : Sat Dec 07 17:05:48 2047 +# Fingerprint (SHA-256): A7:DE:DF:5A:84:21:67:DD:12:FD:AA:0F:20:80:E7:32:95:B8:B8:BE:A7:1B:20:94:EA:09:50:94:5A:48:2F:C1 +# Fingerprint (SHA1): 2E:03:93:1C:D1:9C:3F:F5:98:5F:B8:7A:AD:C1:53:EB:5D:BD:F1:E3 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "AffirmTrust 4K TLS Root CA - 2022" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\117\061\013\060\011\006\003\125\004\006\023\002\103\101\061 +\024\060\022\006\003\125\004\012\023\013\101\146\146\151\162\155 +\124\162\165\163\164\061\052\060\050\006\003\125\004\003\023\041 +\101\146\146\151\162\155\124\162\165\163\164\040\064\113\040\124 +\114\123\040\122\157\157\164\040\103\101\040\055\040\062\060\062 +\062 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\117\061\013\060\011\006\003\125\004\006\023\002\103\101\061 +\024\060\022\006\003\125\004\012\023\013\101\146\146\151\162\155 +\124\162\165\163\164\061\052\060\050\006\003\125\004\003\023\041 +\101\146\146\151\162\155\124\162\165\163\164\040\064\113\040\124 +\114\123\040\122\157\157\164\040\103\101\040\055\040\062\060\062 +\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\102\141\162\076\233\000\242\047\323\275\130\161\342\325 +\264\004\150\164\163\245 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\217\060\202\003\167\240\003\002\001\002\002\024\102 +\141\162\076\233\000\242\047\323\275\130\161\342\325\264\004\150 +\164\163\245\060\015\006\011\052\206\110\206\367\015\001\001\014 +\005\000\060\117\061\013\060\011\006\003\125\004\006\023\002\103 +\101\061\024\060\022\006\003\125\004\012\023\013\101\146\146\151 +\162\155\124\162\165\163\164\061\052\060\050\006\003\125\004\003 +\023\041\101\146\146\151\162\155\124\162\165\163\164\040\064\113 +\040\124\114\123\040\122\157\157\164\040\103\101\040\055\040\062 +\060\062\062\060\036\027\015\062\062\061\062\061\063\061\067\060 +\065\064\070\132\027\015\064\067\061\062\060\067\061\067\060\065 +\064\070\132\060\117\061\013\060\011\006\003\125\004\006\023\002 +\103\101\061\024\060\022\006\003\125\004\012\023\013\101\146\146 +\151\162\155\124\162\165\163\164\061\052\060\050\006\003\125\004 +\003\023\041\101\146\146\151\162\155\124\162\165\163\164\040\064 +\113\040\124\114\123\040\122\157\157\164\040\103\101\040\055\040 +\062\060\062\062\060\202\002\042\060\015\006\011\052\206\110\206 +\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012 +\002\202\002\001\000\340\236\054\316\017\250\330\330\113\052\342 +\165\050\114\365\067\122\217\224\074\206\111\222\106\261\126\040 +\055\164\226\355\162\277\343\267\222\157\003\011\272\022\250\273 +\347\311\171\171\210\021\112\333\262\240\340\060\242\222\222\273 +\055\031\142\042\107\251\336\311\275\062\244\125\052\036\131\272 +\360\234\111\225\242\055\114\237\265\330\125\324\017\043\271\000 +\021\322\277\116\034\116\072\003\030\271\375\247\333\143\237\242 +\065\275\157\361\350\330\171\172\276\071\165\262\104\346\377\022 +\307\162\322\077\367\371\371\236\015\121\236\155\023\255\333\111 +\226\342\234\052\067\161\127\004\047\034\265\017\252\364\150\256 +\072\175\327\075\064\003\160\040\322\125\330\017\314\214\150\247 +\301\377\271\311\376\013\014\045\354\034\324\053\114\217\076\122 +\214\126\125\017\025\160\125\053\164\227\215\122\304\202\140\335 +\166\170\171\152\247\215\250\062\321\334\233\340\371\116\061\041 +\225\116\057\205\164\053\066\345\207\020\174\256\356\365\305\376 +\114\361\322\342\176\157\327\350\201\325\233\270\377\130\010\202 +\221\123\335\272\024\170\151\135\214\301\152\257\273\225\270\171 +\114\135\070\251\054\243\303\160\153\177\217\005\043\121\170\177 +\371\171\274\147\232\312\254\070\122\070\014\162\212\010\247\305 +\017\021\027\362\045\345\100\140\127\030\374\252\002\124\352\104 +\203\366\252\212\036\016\242\203\012\063\133\176\066\141\131\355 +\143\224\054\257\215\242\266\370\264\332\035\374\105\042\071\335 +\060\255\376\033\141\121\150\133\357\227\353\000\376\335\233\035 +\322\003\061\156\161\273\271\374\124\217\244\324\246\171\203\063 +\375\372\313\355\307\242\344\021\155\265\204\202\275\367\022\340 +\345\335\224\020\072\214\171\333\302\117\353\371\317\160\042\246 +\206\015\367\066\036\342\342\024\304\207\036\355\052\301\121\155 +\222\021\005\177\273\360\343\015\053\115\162\143\046\266\301\355 +\346\142\371\252\375\345\375\345\270\163\300\233\313\073\214\003 +\310\160\122\077\030\105\003\333\016\022\226\115\144\041\264\027 +\133\271\314\077\104\035\076\101\300\064\131\002\164\350\356\127 +\113\230\150\350\221\356\104\117\050\244\065\140\345\121\016\156 +\162\170\055\100\313\002\003\001\000\001\243\143\060\141\060\035 +\006\003\125\035\016\004\026\004\024\007\207\132\364\007\150\161 +\331\146\033\342\144\170\200\067\200\134\336\367\047\060\037\006 +\003\125\035\043\004\030\060\026\200\024\007\207\132\364\007\150 +\161\331\146\033\342\144\170\200\067\200\134\336\367\047\060\017 +\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060 +\016\006\003\125\035\017\001\001\377\004\004\003\002\001\206\060 +\015\006\011\052\206\110\206\367\015\001\001\014\005\000\003\202 +\002\001\000\006\266\045\256\366\256\256\360\222\076\315\074\047 +\147\233\156\371\155\121\167\372\327\171\176\220\224\100\026\123 +\026\335\307\043\367\067\304\345\177\224\110\014\133\330\346\237 +\171\017\131\055\126\204\242\333\021\214\111\075\130\154\130\125 +\162\346\204\150\240\256\333\170\222\031\337\005\044\050\113\052 +\347\236\037\065\263\276\123\252\101\106\127\120\161\255\074\012 +\376\016\153\352\276\174\031\265\124\233\330\030\054\237\044\377 +\253\114\346\304\261\277\124\221\143\214\030\057\325\047\363\077 +\344\123\365\216\266\306\314\256\250\050\004\167\354\135\250\022 +\077\170\037\026\205\127\365\147\024\145\013\153\272\313\177\031 +\222\237\027\357\256\142\143\322\230\272\163\117\163\222\232\232 +\077\256\022\137\034\304\211\140\026\203\066\061\024\110\206\231 +\251\072\002\347\246\061\037\371\314\134\102\273\171\337\147\021 +\153\352\274\130\035\361\127\341\244\113\260\135\140\201\063\023 +\131\143\000\104\052\050\043\015\043\065\034\164\215\127\213\124 +\015\100\017\142\011\167\074\172\243\055\146\270\251\332\315\175 +\215\062\101\010\155\275\364\153\273\133\141\276\151\154\267\240 +\040\277\015\003\331\057\134\120\305\235\321\044\361\345\225\276 +\200\324\363\025\116\335\177\212\124\211\063\132\215\007\055\034 +\075\376\156\366\231\046\246\244\247\066\167\027\101\350\156\203 +\135\317\057\170\324\000\145\264\055\120\137\211\250\121\055\202 +\055\006\235\213\227\016\020\021\172\155\322\247\016\313\347\310 +\121\044\021\256\127\274\016\175\254\046\354\146\254\012\310\210 +\357\156\245\275\137\122\124\261\244\355\045\365\365\054\337\370 +\106\253\140\100\277\160\355\355\267\026\266\021\355\174\351\336 +\277\226\262\207\074\153\244\333\202\103\023\124\305\150\043\356 +\351\002\052\113\331\337\265\241\062\222\301\171\016\031\246\324 +\376\115\156\145\021\217\027\335\045\323\354\005\167\247\120\325 +\371\075\133\234\255\174\150\015\076\065\256\146\105\255\176\005 +\043\336\173\076\345\306\067\034\364\323\276\132\251\177\174\377 +\140\352\024\260\331\353\251\067\140\254\146\166\244\356\064\321 +\367\212\274\201\013\002\054\102\360\071\362\012\020\372\046\313 +\123\156\341 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "AffirmTrust 4K TLS Root CA - 2022" +# Issuer: CN=AffirmTrust 4K TLS Root CA - 2022,O=AffirmTrust,C=CA +# Serial Number:42:61:72:3e:9b:00:a2:27:d3:bd:58:71:e2:d5:b4:04:68:74:73:a5 +# Subject: CN=AffirmTrust 4K TLS Root CA - 2022,O=AffirmTrust,C=CA +# Not Valid Before: Tue Dec 13 17:05:48 2022 +# Not Valid After : Sat Dec 07 17:05:48 2047 +# Fingerprint (SHA-256): A7:DE:DF:5A:84:21:67:DD:12:FD:AA:0F:20:80:E7:32:95:B8:B8:BE:A7:1B:20:94:EA:09:50:94:5A:48:2F:C1 +# Fingerprint (SHA1): 2E:03:93:1C:D1:9C:3F:F5:98:5F:B8:7A:AD:C1:53:EB:5D:BD:F1:E3 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "AffirmTrust 4K TLS Root CA - 2022" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\056\003\223\034\321\234\077\365\230\137\270\172\255\301\123\353 +\135\275\361\343 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\350\222\276\172\060\173\254\161\055\161\014\042\254\154\130\314 +END +CKA_ISSUER MULTILINE_OCTAL +\060\117\061\013\060\011\006\003\125\004\006\023\002\103\101\061 +\024\060\022\006\003\125\004\012\023\013\101\146\146\151\162\155 +\124\162\165\163\164\061\052\060\050\006\003\125\004\003\023\041 +\101\146\146\151\162\155\124\162\165\163\164\040\064\113\040\124 +\114\123\040\122\157\157\164\040\103\101\040\055\040\062\060\062 +\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\102\141\162\076\233\000\242\047\323\275\130\161\342\325 +\264\004\150\164\163\245 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "A-Trust-Root-09" +# +# Issuer: CN=A-Trust-Root-09,OU=A-Trust-Root-09,O=A-Trust GmbH,C=AT +# Serial Number: 1990048213 (0x769db9d5) +# Subject: CN=A-Trust-Root-09,OU=A-Trust-Root-09,O=A-Trust GmbH,C=AT +# Not Valid Before: Tue Feb 21 14:22:48 2023 +# Not Valid After : Mon Jul 14 12:22:48 2036 +# Fingerprint (SHA-256): 7A:38:F7:08:A3:5A:31:E4:2E:1C:F3:22:0F:9A:2D:27:3E:76:66:35:46:18:B2:46:46:57:D4:3D:8E:77:AD:C2 +# Fingerprint (SHA1): D0:58:49:DE:40:04:DA:6E:86:7D:EE:00:06:71:CD:A8:F4:23:26:6F +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "A-Trust-Root-09" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\130\061\013\060\011\006\003\125\004\006\023\002\101\124\061 +\025\060\023\006\003\125\004\012\014\014\101\055\124\162\165\163 +\164\040\107\155\142\110\061\030\060\026\006\003\125\004\013\014 +\017\101\055\124\162\165\163\164\055\122\157\157\164\055\060\071 +\061\030\060\026\006\003\125\004\003\014\017\101\055\124\162\165 +\163\164\055\122\157\157\164\055\060\071 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\130\061\013\060\011\006\003\125\004\006\023\002\101\124\061 +\025\060\023\006\003\125\004\012\014\014\101\055\124\162\165\163 +\164\040\107\155\142\110\061\030\060\026\006\003\125\004\013\014 +\017\101\055\124\162\165\163\164\055\122\157\157\164\055\060\071 +\061\030\060\026\006\003\125\004\003\014\017\101\055\124\162\165 +\163\164\055\122\157\157\164\055\060\071 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\004\166\235\271\325 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\144\060\202\003\114\240\003\002\001\002\002\004\166 +\235\271\325\060\015\006\011\052\206\110\206\367\015\001\001\013 +\005\000\060\130\061\013\060\011\006\003\125\004\006\023\002\101 +\124\061\025\060\023\006\003\125\004\012\014\014\101\055\124\162 +\165\163\164\040\107\155\142\110\061\030\060\026\006\003\125\004 +\013\014\017\101\055\124\162\165\163\164\055\122\157\157\164\055 +\060\071\061\030\060\026\006\003\125\004\003\014\017\101\055\124 +\162\165\163\164\055\122\157\157\164\055\060\071\060\036\027\015 +\062\063\060\062\062\061\061\064\062\062\064\070\132\027\015\063 +\066\060\067\061\064\061\062\062\062\064\070\132\060\130\061\013 +\060\011\006\003\125\004\006\023\002\101\124\061\025\060\023\006 +\003\125\004\012\014\014\101\055\124\162\165\163\164\040\107\155 +\142\110\061\030\060\026\006\003\125\004\013\014\017\101\055\124 +\162\165\163\164\055\122\157\157\164\055\060\071\061\030\060\026 +\006\003\125\004\003\014\017\101\055\124\162\165\163\164\055\122 +\157\157\164\055\060\071\060\202\002\042\060\015\006\011\052\206 +\110\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202 +\002\012\002\202\002\001\000\276\056\372\003\131\257\257\301\216 +\122\367\206\177\242\275\012\023\150\334\364\160\234\172\373\264 +\135\021\135\110\013\100\306\321\202\004\202\306\040\341\273\020 +\155\170\302\044\030\035\005\331\241\160\115\255\311\156\070\000 +\220\015\121\110\053\246\324\010\137\274\174\255\222\203\364\115 +\160\371\115\252\200\341\277\133\206\233\222\206\314\212\271\050 +\340\061\021\161\257\317\110\036\026\070\372\011\370\073\200\203 +\373\326\306\202\341\167\221\205\340\012\114\374\077\015\144\165 +\351\034\350\373\360\030\051\237\066\012\274\040\323\262\226\106 +\217\017\344\307\232\170\120\015\137\046\155\031\144\024\041\360 +\366\176\232\216\354\257\076\163\246\031\045\024\345\322\125\314 +\131\016\074\207\007\257\117\007\005\051\237\320\361\052\302\300 +\226\142\346\061\335\372\123\000\266\042\046\320\265\245\274\354 +\350\340\201\314\140\335\375\260\306\150\003\352\333\021\101\056 +\142\201\077\311\326\041\003\210\326\175\005\252\345\314\224\075 +\256\162\051\132\175\022\164\037\230\272\120\043\167\022\306\203 +\025\357\172\070\021\162\142\313\176\064\060\103\020\367\014\171 +\164\124\063\250\126\305\132\054\274\236\057\274\343\175\140\203 +\306\145\175\256\000\173\273\266\267\165\163\242\351\251\353\126 +\274\261\104\352\215\175\144\211\242\240\306\345\305\361\367\247 +\100\361\032\171\351\204\217\056\163\277\170\220\047\012\054\374 +\067\305\134\177\054\367\362\103\364\005\343\277\006\167\254\265 +\101\005\110\155\072\104\026\147\116\174\062\002\262\224\017\360 +\330\062\211\364\003\254\157\143\025\314\041\176\315\334\106\057 +\202\266\055\045\257\227\115\237\066\037\324\221\372\302\145\266 +\342\033\377\040\244\336\042\317\136\101\321\274\024\327\074\325 +\172\120\023\274\372\156\147\132\023\012\334\364\174\363\132\000 +\175\207\301\166\066\054\010\315\273\125\310\202\322\035\326\113 +\221\176\277\067\363\117\342\240\345\261\027\203\357\124\104\252 +\254\015\034\000\346\024\212\266\011\003\034\142\314\253\055\076 +\157\361\354\010\315\376\216\233\213\306\126\057\257\062\303\071 +\063\135\122\377\034\032\224\027\356\334\365\244\041\003\013\237 +\346\222\374\154\130\370\313\002\003\001\000\001\243\066\060\064 +\060\021\006\003\125\035\016\004\012\004\010\102\073\077\224\017 +\377\224\321\060\016\006\003\125\035\017\001\001\377\004\004\003 +\002\001\206\060\017\006\003\125\035\023\001\001\377\004\005\060 +\003\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001 +\013\005\000\003\202\002\001\000\034\067\107\046\240\016\163\306 +\235\072\261\371\224\067\351\105\351\210\251\147\152\023\221\152 +\124\302\234\367\164\331\227\144\256\346\007\211\060\121\004\125 +\303\361\317\175\214\245\072\317\022\215\126\320\177\341\257\356 +\076\344\162\111\115\017\203\335\221\256\131\226\243\117\201\007 +\003\265\063\337\260\100\175\313\157\267\152\073\010\313\315\360 +\253\125\074\236\252\213\017\236\121\262\117\110\213\015\241\055 +\365\053\110\164\057\242\014\002\270\342\216\047\020\224\111\055 +\166\100\100\111\026\360\222\146\332\277\160\141\147\307\355\340 +\163\236\231\262\354\125\123\175\274\072\017\375\104\243\220\374 +\374\215\061\015\026\127\210\277\142\055\011\326\014\105\206\270 +\333\361\221\353\161\230\372\337\057\062\215\245\154\031\336\325 +\106\373\200\134\167\122\251\177\041\103\351\374\146\135\205\371 +\260\346\101\304\157\010\066\365\150\155\352\243\110\131\223\161 +\141\362\124\102\255\001\143\125\327\102\035\333\227\103\231\026 +\161\341\125\171\371\113\102\366\220\203\226\271\350\075\353\044 +\145\066\053\357\023\355\012\033\314\112\320\323\330\041\006\374 +\236\167\201\125\006\324\336\252\314\374\237\222\223\317\146\332 +\312\237\223\226\364\305\152\314\312\305\340\134\373\075\347\036 +\174\375\322\240\263\113\026\377\312\063\345\216\250\154\203\162 +\146\155\014\306\102\226\027\127\164\240\316\052\111\035\226\335 +\162\134\350\125\230\217\012\070\053\252\037\220\337\111\367\247 +\133\062\104\177\132\356\224\145\301\140\333\174\045\240\203\027 +\011\301\141\324\075\316\247\235\351\162\220\216\120\151\177\216 +\315\133\233\170\062\024\303\262\237\244\005\240\124\256\042\352 +\363\155\022\240\102\232\076\043\204\161\034\352\371\374\260\320 +\003\204\132\146\071\316\161\173\046\352\145\207\035\123\300\266 +\102\347\123\140\173\335\126\234\016\123\266\166\115\033\052\252 +\065\067\303\346\337\131\026\101\077\365\115\021\221\062\011\366 +\340\115\075\160\012\224\204\154\051\321\325\210\350\130\233\055 +\027\242\157\307\125\050\241\324\114\046\253\123\012\124\125\003 +\330\057\107\125\325\147\333\337\353\353\372\056\213\130\172\306 +\170\255\111\133\172\154\047\254 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "A-Trust-Root-09" +# Issuer: CN=A-Trust-Root-09,OU=A-Trust-Root-09,O=A-Trust GmbH,C=AT +# Serial Number: 1990048213 (0x769db9d5) +# Subject: CN=A-Trust-Root-09,OU=A-Trust-Root-09,O=A-Trust GmbH,C=AT +# Not Valid Before: Tue Feb 21 14:22:48 2023 +# Not Valid After : Mon Jul 14 12:22:48 2036 +# Fingerprint (SHA-256): 7A:38:F7:08:A3:5A:31:E4:2E:1C:F3:22:0F:9A:2D:27:3E:76:66:35:46:18:B2:46:46:57:D4:3D:8E:77:AD:C2 +# Fingerprint (SHA1): D0:58:49:DE:40:04:DA:6E:86:7D:EE:00:06:71:CD:A8:F4:23:26:6F +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "A-Trust-Root-09" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\320\130\111\336\100\004\332\156\206\175\356\000\006\161\315\250 +\364\043\046\157 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\221\105\167\140\250\105\153\373\106\014\373\165\221\007\210\177 +END +CKA_ISSUER MULTILINE_OCTAL +\060\130\061\013\060\011\006\003\125\004\006\023\002\101\124\061 +\025\060\023\006\003\125\004\012\014\014\101\055\124\162\165\163 +\164\040\107\155\142\110\061\030\060\026\006\003\125\004\013\014 +\017\101\055\124\162\165\163\164\055\122\157\157\164\055\060\071 +\061\030\060\026\006\003\125\004\003\014\017\101\055\124\162\165 +\163\164\055\122\157\157\164\055\060\071 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\004\166\235\271\325 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "Atos TrustedRoot Root CA RSA TLS 2021" +# +# Issuer: C=DE,O=Atos,CN=Atos TrustedRoot Root CA RSA TLS 2021 +# Serial Number:53:d5:cf:e6:19:93:0b:fb:2b:05:12:d8:c2:2a:a2:a4 +# Subject: C=DE,O=Atos,CN=Atos TrustedRoot Root CA RSA TLS 2021 +# Not Valid Before: Thu Apr 22 09:21:10 2021 +# Not Valid After : Wed Apr 17 09:21:09 2041 +# Fingerprint (SHA-256): 81:A9:08:8E:A5:9F:B3:64:C5:48:A6:F8:55:59:09:9B:6F:04:05:EF:BF:18:E5:32:4E:C9:F4:57:BA:00:11:2F +# Fingerprint (SHA1): 18:52:3B:0D:06:37:E4:D6:3A:DF:23:E4:98:FB:5B:16:FB:86:74:48 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Atos TrustedRoot Root CA RSA TLS 2021" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\114\061\056\060\054\006\003\125\004\003\014\045\101\164\157 +\163\040\124\162\165\163\164\145\144\122\157\157\164\040\122\157 +\157\164\040\103\101\040\122\123\101\040\124\114\123\040\062\060 +\062\061\061\015\060\013\006\003\125\004\012\014\004\101\164\157 +\163\061\013\060\011\006\003\125\004\006\023\002\104\105 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\114\061\056\060\054\006\003\125\004\003\014\045\101\164\157 +\163\040\124\162\165\163\164\145\144\122\157\157\164\040\122\157 +\157\164\040\103\101\040\122\123\101\040\124\114\123\040\062\060 +\062\061\061\015\060\013\006\003\125\004\012\014\004\101\164\157 +\163\061\013\060\011\006\003\125\004\006\023\002\104\105 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\123\325\317\346\031\223\013\373\053\005\022\330\302\052 +\242\244 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\144\060\202\003\114\240\003\002\001\002\002\020\123 +\325\317\346\031\223\013\373\053\005\022\330\302\052\242\244\060 +\015\006\011\052\206\110\206\367\015\001\001\014\005\000\060\114 +\061\056\060\054\006\003\125\004\003\014\045\101\164\157\163\040 +\124\162\165\163\164\145\144\122\157\157\164\040\122\157\157\164 +\040\103\101\040\122\123\101\040\124\114\123\040\062\060\062\061 +\061\015\060\013\006\003\125\004\012\014\004\101\164\157\163\061 +\013\060\011\006\003\125\004\006\023\002\104\105\060\036\027\015 +\062\061\060\064\062\062\060\071\062\061\061\060\132\027\015\064 +\061\060\064\061\067\060\071\062\061\060\071\132\060\114\061\056 +\060\054\006\003\125\004\003\014\045\101\164\157\163\040\124\162 +\165\163\164\145\144\122\157\157\164\040\122\157\157\164\040\103 +\101\040\122\123\101\040\124\114\123\040\062\060\062\061\061\015 +\060\013\006\003\125\004\012\014\004\101\164\157\163\061\013\060 +\011\006\003\125\004\006\023\002\104\105\060\202\002\042\060\015 +\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002 +\017\000\060\202\002\012\002\202\002\001\000\266\200\016\304\171 +\275\005\214\175\260\243\235\115\042\115\313\360\101\227\115\131 +\340\321\376\126\214\227\362\327\275\217\154\267\043\217\137\325 +\304\330\101\313\362\002\036\161\345\351\366\136\313\010\052\136 +\060\362\055\146\307\204\033\144\127\070\235\165\055\126\306\057 +\141\357\226\374\040\106\275\353\324\173\077\077\174\107\070\004 +\251\033\252\122\337\023\067\323\025\025\116\275\137\174\257\255 +\143\307\171\334\010\173\325\240\345\367\133\165\254\200\125\231 +\222\141\233\315\052\027\175\333\217\364\265\152\352\027\112\144 +\050\146\025\051\154\002\361\153\325\272\243\063\334\132\147\247 +\005\342\277\145\266\026\260\020\355\315\120\063\311\160\120\354 +\031\216\260\307\362\164\133\153\104\306\175\226\271\230\010\131 +\146\336\051\001\233\364\052\155\323\025\072\220\152\147\361\264 +\153\146\331\041\353\312\331\142\174\106\020\134\336\165\111\147 +\236\102\371\376\165\251\243\255\377\166\012\147\100\343\305\367 +\215\307\205\232\131\236\142\232\152\355\105\207\230\147\262\325 +\112\074\327\264\073\000\015\300\217\037\341\100\304\256\154\041 +\334\111\176\176\312\262\215\155\266\277\223\057\241\134\076\217 +\312\355\200\216\130\341\333\127\317\205\066\070\262\161\244\011 +\214\222\211\010\210\110\361\100\143\030\262\133\214\132\343\303 +\323\027\252\253\031\243\054\033\344\325\306\342\146\172\327\202 +\031\246\073\026\054\057\161\207\137\105\236\225\163\223\302\102 +\201\041\023\226\327\235\273\223\150\025\372\235\244\035\214\362 +\201\340\130\006\275\311\266\343\366\211\135\211\371\254\104\241 +\313\153\372\026\361\307\120\075\044\332\367\303\344\207\325\126 +\361\117\220\060\372\105\011\131\332\064\316\340\023\034\004\174 +\000\324\233\206\244\100\274\331\334\114\127\176\256\267\063\266 +\136\166\341\145\213\146\337\215\312\327\230\257\316\066\230\214 +\234\203\231\003\160\363\257\164\355\306\016\066\347\275\354\301 +\163\247\224\132\313\222\144\202\246\000\301\160\241\156\054\051 +\341\130\127\354\132\174\231\153\045\244\220\072\200\364\040\235 +\232\316\307\055\371\262\113\051\225\203\351\065\215\247\111\110 +\247\017\114\031\221\320\365\277\020\340\161\002\003\001\000\001 +\243\102\060\100\060\017\006\003\125\035\023\001\001\377\004\005 +\060\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024 +\164\111\231\321\377\264\172\150\105\165\303\176\264\334\314\316 +\071\063\332\010\060\016\006\003\125\035\017\001\001\377\004\004 +\003\002\001\206\060\015\006\011\052\206\110\206\367\015\001\001 +\014\005\000\003\202\002\001\000\043\103\123\044\142\134\155\375 +\076\302\317\125\000\154\305\126\210\271\016\335\072\342\045\015 +\225\112\227\312\200\211\356\052\315\145\370\333\026\340\011\222 +\340\030\307\170\230\273\363\354\102\122\373\251\244\202\327\115 +\330\212\374\344\116\375\253\220\304\070\165\062\204\237\377\263 +\260\053\002\063\066\300\020\220\157\035\234\257\341\151\223\354 +\243\105\057\024\237\365\114\052\145\103\162\014\367\303\370\225 +\213\024\363\205\040\142\335\124\123\335\054\334\030\225\151\117 +\203\107\160\100\063\130\167\022\014\242\353\122\061\036\114\311 +\250\316\305\357\303\321\255\340\153\003\000\064\046\264\124\041 +\065\227\001\334\137\033\361\174\347\125\372\055\150\167\173\323 +\151\314\323\016\153\272\115\166\104\326\302\025\232\046\354\260 +\305\365\273\321\172\164\302\154\315\305\265\136\366\114\346\133 +\055\201\333\263\267\072\227\236\355\317\106\262\120\075\204\140 +\231\161\265\063\265\127\105\346\102\107\165\152\016\260\010\014 +\256\275\336\367\273\017\130\075\217\003\061\350\075\202\120\312 +\057\136\014\135\264\227\276\040\064\007\364\304\022\341\356\327 +\260\331\131\055\151\367\061\004\364\362\371\253\371\023\061\370 +\001\167\016\075\102\043\046\314\232\162\147\121\041\172\314\074 +\205\250\352\041\152\073\333\132\074\245\064\236\232\300\054\337 +\200\234\051\340\337\167\224\321\242\200\102\377\152\114\133\021 +\320\365\315\242\276\256\314\121\134\303\325\124\173\014\256\326 +\271\006\167\200\342\357\007\032\150\314\131\121\255\176\134\147 +\153\271\333\342\007\102\133\270\001\005\130\071\115\344\273\230 +\243\261\062\354\331\243\326\157\224\043\377\073\267\051\145\346 +\007\351\357\266\031\352\347\302\070\035\062\210\220\074\023\053 +\156\314\357\253\167\006\064\167\204\117\162\344\201\204\371\271 +\164\064\336\166\117\222\052\123\261\045\071\333\074\377\345\076 +\246\016\345\153\236\377\333\354\057\164\203\337\216\264\263\251 +\336\024\115\377\061\243\105\163\044\372\225\051\314\022\227\004 +\242\070\266\215\260\360\067\374\310\041\177\077\263\044\033\075 +\213\156\314\115\260\026\015\226\035\203\037\106\300\233\275\103 +\231\347\304\226\056\316\137\311 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "Atos TrustedRoot Root CA RSA TLS 2021" +# Issuer: C=DE,O=Atos,CN=Atos TrustedRoot Root CA RSA TLS 2021 +# Serial Number:53:d5:cf:e6:19:93:0b:fb:2b:05:12:d8:c2:2a:a2:a4 +# Subject: C=DE,O=Atos,CN=Atos TrustedRoot Root CA RSA TLS 2021 +# Not Valid Before: Thu Apr 22 09:21:10 2021 +# Not Valid After : Wed Apr 17 09:21:09 2041 +# Fingerprint (SHA-256): 81:A9:08:8E:A5:9F:B3:64:C5:48:A6:F8:55:59:09:9B:6F:04:05:EF:BF:18:E5:32:4E:C9:F4:57:BA:00:11:2F +# Fingerprint (SHA1): 18:52:3B:0D:06:37:E4:D6:3A:DF:23:E4:98:FB:5B:16:FB:86:74:48 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Atos TrustedRoot Root CA RSA TLS 2021" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\030\122\073\015\006\067\344\326\072\337\043\344\230\373\133\026 +\373\206\164\110 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\324\323\106\270\232\300\234\166\135\236\072\303\271\231\061\322 +END +CKA_ISSUER MULTILINE_OCTAL +\060\114\061\056\060\054\006\003\125\004\003\014\045\101\164\157 +\163\040\124\162\165\163\164\145\144\122\157\157\164\040\122\157 +\157\164\040\103\101\040\122\123\101\040\124\114\123\040\062\060 +\062\061\061\015\060\013\006\003\125\004\012\014\004\101\164\157 +\163\061\013\060\011\006\003\125\004\006\023\002\104\105 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\123\325\317\346\031\223\013\373\053\005\022\330\302\052 +\242\244 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "Entrust 4K TLS Root CA - 2022" +# +# Issuer: CN=Entrust 4K TLS Root CA - 2022,O="Entrust, Inc.",C=US +# Serial Number:57:26:28:36:aa:75:1a:00:0c:16:ba:28:cc:86:b5:90:fd:f2:25:ba +# Subject: CN=Entrust 4K TLS Root CA - 2022,O="Entrust, Inc.",C=US +# Not Valid Before: Tue Dec 13 16:26:47 2022 +# Not Valid After : Sat Dec 07 16:26:47 2047 +# Fingerprint (SHA-256): DD:6C:44:B3:94:01:B0:53:DB:E6:11:20:74:8B:BB:0F:60:56:00:76:65:C1:68:E5:C2:86:75:0E:DC:8D:F1:29 +# Fingerprint (SHA1): 19:3C:2A:76:F8:CA:DD:84:F3:5B:F5:2E:E7:AA:50:66:57:91:7A:38 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Entrust 4K TLS Root CA - 2022" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165\163 +\164\054\040\111\156\143\056\061\046\060\044\006\003\125\004\003 +\023\035\105\156\164\162\165\163\164\040\064\113\040\124\114\123 +\040\122\157\157\164\040\103\101\040\055\040\062\060\062\062 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165\163 +\164\054\040\111\156\143\056\061\046\060\044\006\003\125\004\003 +\023\035\105\156\164\162\165\163\164\040\064\113\040\124\114\123 +\040\122\157\157\164\040\103\101\040\055\040\062\060\062\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\127\046\050\066\252\165\032\000\014\026\272\050\314\206 +\265\220\375\362\045\272 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\213\060\202\003\163\240\003\002\001\002\002\024\127 +\046\050\066\252\165\032\000\014\026\272\050\314\206\265\220\375 +\362\045\272\060\015\006\011\052\206\110\206\367\015\001\001\014 +\005\000\060\115\061\013\060\011\006\003\125\004\006\023\002\125 +\123\061\026\060\024\006\003\125\004\012\023\015\105\156\164\162 +\165\163\164\054\040\111\156\143\056\061\046\060\044\006\003\125 +\004\003\023\035\105\156\164\162\165\163\164\040\064\113\040\124 +\114\123\040\122\157\157\164\040\103\101\040\055\040\062\060\062 +\062\060\036\027\015\062\062\061\062\061\063\061\066\062\066\064 +\067\132\027\015\064\067\061\062\060\067\061\066\062\066\064\067 +\132\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123 +\061\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165 +\163\164\054\040\111\156\143\056\061\046\060\044\006\003\125\004 +\003\023\035\105\156\164\162\165\163\164\040\064\113\040\124\114 +\123\040\122\157\157\164\040\103\101\040\055\040\062\060\062\062 +\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001 +\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001 +\000\307\116\325\076\074\242\340\073\234\012\307\221\343\071\204 +\356\114\223\135\253\125\244\063\115\227\105\275\364\011\333\246 +\315\063\350\163\301\037\163\171\351\025\133\244\356\260\004\243 +\345\045\321\310\236\277\057\164\103\357\205\304\222\333\262\060 +\072\121\135\004\055\364\074\103\151\101\371\270\263\171\206\363 +\112\326\034\216\034\127\152\303\021\360\126\166\020\176\264\302 +\003\244\241\206\001\340\054\330\374\054\340\315\022\227\311\124 +\116\316\263\036\111\355\251\115\124\322\372\207\201\275\231\064 +\216\340\250\071\032\021\031\263\263\365\075\363\025\164\223\162 +\345\061\203\342\016\043\022\110\114\237\150\064\127\346\255\034 +\375\341\234\315\212\004\257\126\366\052\164\156\345\167\100\347 +\343\307\153\131\103\245\132\261\310\124\137\030\220\264\025\204 +\236\374\103\265\361\213\165\055\346\221\203\073\264\177\177\144 +\237\155\120\144\077\314\167\340\036\272\151\001\230\144\275\005 +\226\075\313\066\130\240\076\352\340\114\105\256\222\071\034\144 +\226\121\145\121\062\064\137\154\257\231\171\235\202\271\070\306 +\266\124\220\124\274\135\065\317\336\147\337\254\255\331\376\137 +\031\156\161\323\141\335\007\100\356\117\000\070\204\271\001\165 +\112\273\030\170\256\056\351\050\002\045\367\120\223\115\116\050 +\323\356\006\377\256\100\234\255\035\267\272\342\145\123\007\303 +\106\350\232\014\022\273\111\227\201\343\012\110\025\104\257\373 +\360\104\230\167\112\116\002\274\255\347\275\264\126\102\065\204 +\054\337\301\351\137\106\131\022\323\224\365\152\014\343\327\153 +\132\314\347\225\205\356\141\242\354\132\341\045\177\365\154\315 +\312\154\202\020\042\303\320\327\047\151\222\177\262\302\312\370 +\223\045\324\104\354\063\170\253\355\363\252\027\202\256\341\260 +\057\037\074\373\000\157\132\123\256\375\010\046\171\363\315\047 +\153\005\243\015\356\363\153\155\341\004\145\236\360\215\224\024 +\042\133\264\014\032\267\323\367\307\173\366\000\251\047\033\311 +\131\030\332\034\253\233\076\042\277\000\320\354\313\033\101\304 +\301\371\222\100\153\205\263\034\256\253\363\251\036\277\050\164 +\114\223\354\015\330\324\213\150\100\213\025\270\010\111\144\167 +\203\002\003\001\000\001\243\143\060\141\060\035\006\003\125\035 +\016\004\026\004\024\224\100\352\132\377\357\111\143\001\236\011 +\337\340\073\200\063\163\022\040\126\060\037\006\003\125\035\043 +\004\030\060\026\200\024\224\100\352\132\377\357\111\143\001\236 +\011\337\340\073\200\063\163\022\040\126\060\017\006\003\125\035 +\023\001\001\377\004\005\060\003\001\001\377\060\016\006\003\125 +\035\017\001\001\377\004\004\003\002\001\206\060\015\006\011\052 +\206\110\206\367\015\001\001\014\005\000\003\202\002\001\000\073 +\036\273\317\150\037\224\124\254\013\146\312\057\317\340\252\336 +\203\226\151\006\012\352\271\062\076\317\037\244\131\152\245\230 +\323\136\057\140\156\376\225\016\157\372\045\022\276\234\321\214 +\255\244\323\076\270\026\215\221\300\005\210\254\231\350\045\320 +\212\032\274\177\147\170\241\105\247\173\120\110\065\201\036\146 +\023\131\031\205\144\004\167\136\140\116\136\106\164\134\121\321 +\342\113\342\007\256\273\363\122\172\111\330\160\111\203\133\140 +\047\151\257\302\167\142\043\061\226\174\242\132\213\256\040\140 +\261\361\165\044\352\261\176\130\232\035\105\255\301\351\063\055 +\204\140\173\165\132\115\175\363\115\034\037\120\116\100\146\033 +\076\327\364\044\146\171\105\025\161\077\334\367\347\126\117\307 +\027\362\335\354\324\313\075\130\014\356\112\312\233\211\131\034 +\374\030\121\255\163\064\333\012\010\013\143\122\000\235\173\006 +\106\206\200\247\153\133\252\035\077\336\213\261\177\334\375\242 +\205\161\077\246\020\017\223\370\021\203\045\002\152\171\045\342 +\122\206\002\042\206\360\322\317\346\366\200\104\164\100\010\367 +\267\006\363\103\011\343\234\055\122\323\320\007\115\131\150\370 +\141\270\262\355\015\304\047\132\220\042\015\162\372\276\230\161 +\266\350\345\313\211\355\131\063\060\057\354\246\150\143\131\077 +\246\325\314\257\323\014\237\237\176\177\361\011\260\250\050\337 +\142\233\360\336\217\305\035\274\370\361\054\156\166\307\311\076 +\026\166\264\156\340\122\365\377\141\272\374\230\373\161\360\006 +\372\145\012\004\131\274\342\001\035\350\314\311\310\350\202\321 +\372\003\253\152\171\112\234\112\031\054\121\273\046\124\117\245 +\026\163\004\003\335\334\274\367\051\151\217\064\035\164\170\053 +\317\205\177\221\166\276\126\133\334\376\057\367\173\266\232\220 +\122\140\302\142\336\132\022\121\142\322\207\264\253\205\240\264 +\351\363\343\027\337\070\306\066\263\277\034\310\022\314\231\305 +\254\012\346\174\236\044\146\054\017\030\061\353\124\070\157\200 +\153\277\365\310\072\271\003\067\121\156\374\042\204\021\201\072 +\243\071\114\150\130\003\254\241\360\234\140\320\121\250\332\307 +\135\277\355\200\170\232\224\127\337\224\230\203\061\276\312 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "Entrust 4K TLS Root CA - 2022" +# Issuer: CN=Entrust 4K TLS Root CA - 2022,O="Entrust, Inc.",C=US +# Serial Number:57:26:28:36:aa:75:1a:00:0c:16:ba:28:cc:86:b5:90:fd:f2:25:ba +# Subject: CN=Entrust 4K TLS Root CA - 2022,O="Entrust, Inc.",C=US +# Not Valid Before: Tue Dec 13 16:26:47 2022 +# Not Valid After : Sat Dec 07 16:26:47 2047 +# Fingerprint (SHA-256): DD:6C:44:B3:94:01:B0:53:DB:E6:11:20:74:8B:BB:0F:60:56:00:76:65:C1:68:E5:C2:86:75:0E:DC:8D:F1:29 +# Fingerprint (SHA1): 19:3C:2A:76:F8:CA:DD:84:F3:5B:F5:2E:E7:AA:50:66:57:91:7A:38 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Entrust 4K TLS Root CA - 2022" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\031\074\052\166\370\312\335\204\363\133\365\056\347\252\120\146 +\127\221\172\070 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\034\075\335\365\176\017\265\363\260\042\370\203\011\223\375\027 +END +CKA_ISSUER MULTILINE_OCTAL +\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165\163 +\164\054\040\111\156\143\056\061\046\060\044\006\003\125\004\003 +\023\035\105\156\164\162\165\163\164\040\064\113\040\124\114\123 +\040\122\157\157\164\040\103\101\040\055\040\062\060\062\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\127\046\050\066\252\165\032\000\014\026\272\050\314\206 +\265\220\375\362\045\272 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "SwissSign RSA TLS Root CA 2022 - 1" +# +# Issuer: CN=SwissSign RSA TLS Root CA 2022 - 1,O=SwissSign AG,C=CH +# Serial Number:43:fa:0c:5f:4e:1b:80:18:44:ef:d1:b4:4f:35:1f:44:f4:80:ed:cb +# Subject: CN=SwissSign RSA TLS Root CA 2022 - 1,O=SwissSign AG,C=CH +# Not Valid Before: Wed Jun 08 11:08:22 2022 +# Not Valid After : Sat Jun 08 11:08:22 2047 +# Fingerprint (SHA-256): 19:31:44:F4:31:E0:FD:DB:74:07:17:D4:DE:92:6A:57:11:33:88:4B:43:60:D3:0E:27:29:13:CB:E6:60:CE:41 +# Fingerprint (SHA1): 81:34:0A:BE:4C:CD:CE:CC:E7:7D:CC:8A:D4:57:E2:45:A0:77:5D:CE +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "SwissSign RSA TLS Root CA 2022 - 1" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\121\061\013\060\011\006\003\125\004\006\023\002\103\110\061 +\025\060\023\006\003\125\004\012\023\014\123\167\151\163\163\123 +\151\147\156\040\101\107\061\053\060\051\006\003\125\004\003\023 +\042\123\167\151\163\163\123\151\147\156\040\122\123\101\040\124 +\114\123\040\122\157\157\164\040\103\101\040\062\060\062\062\040 +\055\040\061 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\121\061\013\060\011\006\003\125\004\006\023\002\103\110\061 +\025\060\023\006\003\125\004\012\023\014\123\167\151\163\163\123 +\151\147\156\040\101\107\061\053\060\051\006\003\125\004\003\023 +\042\123\167\151\163\163\123\151\147\156\040\122\123\101\040\124 +\114\123\040\122\157\157\164\040\103\101\040\062\060\062\062\040 +\055\040\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\103\372\014\137\116\033\200\030\104\357\321\264\117\065 +\037\104\364\200\355\313 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\223\060\202\003\173\240\003\002\001\002\002\024\103 +\372\014\137\116\033\200\030\104\357\321\264\117\065\037\104\364 +\200\355\313\060\015\006\011\052\206\110\206\367\015\001\001\013 +\005\000\060\121\061\013\060\011\006\003\125\004\006\023\002\103 +\110\061\025\060\023\006\003\125\004\012\023\014\123\167\151\163 +\163\123\151\147\156\040\101\107\061\053\060\051\006\003\125\004 +\003\023\042\123\167\151\163\163\123\151\147\156\040\122\123\101 +\040\124\114\123\040\122\157\157\164\040\103\101\040\062\060\062 +\062\040\055\040\061\060\036\027\015\062\062\060\066\060\070\061 +\061\060\070\062\062\132\027\015\064\067\060\066\060\070\061\061 +\060\070\062\062\132\060\121\061\013\060\011\006\003\125\004\006 +\023\002\103\110\061\025\060\023\006\003\125\004\012\023\014\123 +\167\151\163\163\123\151\147\156\040\101\107\061\053\060\051\006 +\003\125\004\003\023\042\123\167\151\163\163\123\151\147\156\040 +\122\123\101\040\124\114\123\040\122\157\157\164\040\103\101\040 +\062\060\062\062\040\055\040\061\060\202\002\042\060\015\006\011 +\052\206\110\206\367\015\001\001\001\005\000\003\202\002\017\000 +\060\202\002\012\002\202\002\001\000\313\052\150\342\013\303\127 +\274\065\143\274\160\245\073\363\214\074\116\127\226\156\303\116 +\066\244\366\002\312\036\252\256\270\336\250\257\035\166\332\272 +\065\320\221\160\007\337\263\006\362\212\362\056\125\121\173\273 +\054\044\313\177\222\046\200\243\264\224\366\202\241\244\350\372 +\165\035\131\363\007\152\141\144\342\306\214\225\257\243\273\216 +\157\126\317\161\314\136\201\141\015\155\362\253\002\056\244\227 +\345\161\374\212\260\221\040\133\234\164\122\155\256\025\047\131 +\170\362\011\312\145\016\177\313\364\353\347\334\251\114\167\366 +\053\026\004\225\256\234\161\245\077\052\332\101\102\347\074\204 +\020\364\341\075\214\153\342\053\221\107\125\117\270\126\276\105 +\336\042\121\115\116\050\331\137\031\101\006\217\016\115\006\340 +\160\100\043\001\152\344\313\023\233\163\254\115\024\110\222\055 +\376\155\247\370\207\153\171\165\341\276\020\261\252\210\100\131 +\124\327\317\304\320\233\104\263\070\151\144\214\201\321\043\176 +\252\071\074\073\017\237\112\173\202\312\153\157\312\042\076\061 +\320\260\320\052\034\222\212\217\330\031\234\107\344\076\014\271 +\302\315\276\101\014\370\244\107\005\333\301\027\060\070\072\151 +\334\315\303\151\043\375\232\017\002\316\020\152\316\312\370\271 +\051\243\066\211\206\256\013\300\117\143\271\006\131\111\136\016 +\301\151\263\012\363\167\176\056\235\214\263\047\230\322\231\215 +\045\247\037\206\263\246\124\160\070\374\175\135\350\117\203\014 +\321\223\345\022\344\124\332\076\362\255\072\336\076\074\105\360 +\050\017\006\271\341\333\227\173\231\105\236\335\376\225\131\004 +\057\165\077\323\256\211\231\206\254\024\264\250\204\372\310\135 +\073\033\130\223\301\027\224\125\310\013\343\202\171\204\237\363 +\000\204\064\356\334\061\325\217\362\372\117\226\114\006\252\170 +\373\336\144\242\043\315\037\076\305\214\274\067\124\016\273\132 +\162\125\357\310\133\265\162\370\170\337\067\040\114\127\221\163 +\222\163\254\030\167\103\202\040\151\354\351\254\051\106\345\013 +\116\370\067\163\211\226\212\034\155\275\357\276\330\266\364\312 +\300\375\107\360\256\013\130\040\305\310\035\066\256\227\215\120 +\203\046\044\051\367\235\073\017\005\002\003\001\000\001\243\143 +\060\141\060\017\006\003\125\035\023\001\001\377\004\005\060\003 +\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003 +\002\001\006\060\037\006\003\125\035\043\004\030\060\026\200\024 +\157\216\142\213\223\103\260\341\100\366\247\303\375\361\017\270 +\017\025\070\245\060\035\006\003\125\035\016\004\026\004\024\157 +\216\142\213\223\103\260\341\100\366\247\303\375\361\017\270\017 +\025\070\245\060\015\006\011\052\206\110\206\367\015\001\001\013 +\005\000\003\202\002\001\000\254\054\051\101\175\372\134\365\032 +\225\030\277\054\251\212\251\044\124\165\365\270\100\253\313\250 +\044\121\053\030\077\143\251\256\230\126\053\005\103\042\243\267 +\327\106\236\300\052\022\075\216\226\226\100\337\014\063\213\153 +\067\221\072\225\273\071\051\155\300\002\154\212\224\013\007\002 +\115\030\076\373\373\173\365\166\075\233\366\136\060\006\130\063 +\036\252\170\325\346\124\004\072\262\202\011\215\316\026\063\131 +\105\050\361\245\243\227\016\103\043\375\013\040\200\220\377\343 +\046\317\270\144\221\345\005\217\023\240\166\015\327\067\014\020 +\210\226\364\076\276\225\275\361\303\175\360\243\303\171\107\013 +\134\222\025\143\355\122\165\212\347\106\151\313\121\125\013\052 +\114\365\362\144\117\251\134\377\147\062\216\125\055\062\202\034 +\200\057\152\221\370\313\274\176\030\242\046\250\056\243\123\050 +\207\355\127\345\145\172\116\000\112\133\116\123\311\142\066\275 +\302\216\133\353\314\156\047\201\030\131\213\104\143\237\325\014 +\145\364\051\145\177\221\054\345\177\176\350\211\317\217\040\313 +\155\007\102\021\121\046\062\212\056\072\107\023\270\215\275\107 +\015\011\360\026\244\355\226\206\056\031\330\276\214\072\350\105 +\056\021\272\256\132\347\271\277\261\314\217\340\240\377\270\263 +\321\205\173\171\146\243\071\265\073\146\330\100\276\317\267\147 +\213\110\311\031\045\125\374\275\215\317\136\332\116\246\362\151 +\316\375\177\114\167\320\301\106\065\230\134\043\233\002\105\103 +\224\132\335\274\107\255\042\376\272\136\057\221\051\051\206\173 +\041\336\156\144\267\313\015\217\067\133\243\010\152\353\364\335 +\002\217\120\003\002\261\270\067\150\226\120\353\270\137\324\050 +\212\245\042\014\212\204\360\131\056\325\067\321\141\345\102\163 +\130\052\201\367\166\333\342\342\115\015\137\366\267\276\005\264 +\256\116\015\336\026\075\003\201\263\046\136\113\270\113\000\317 +\377\214\027\272\154\140\055\047\207\067\044\346\172\140\057\265 +\323\203\004\252\117\103\165\242\301\203\262\047\230\053\261\016 +\200\272\300\205\136\102\271\337\261\140\221\323\353\030\176\160 +\170\256\166\203\276\161\132\320\220\343\312\301\026\045\147\112 +\360\266\173\272\341\234\331 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "SwissSign RSA TLS Root CA 2022 - 1" +# Issuer: CN=SwissSign RSA TLS Root CA 2022 - 1,O=SwissSign AG,C=CH +# Serial Number:43:fa:0c:5f:4e:1b:80:18:44:ef:d1:b4:4f:35:1f:44:f4:80:ed:cb +# Subject: CN=SwissSign RSA TLS Root CA 2022 - 1,O=SwissSign AG,C=CH +# Not Valid Before: Wed Jun 08 11:08:22 2022 +# Not Valid After : Sat Jun 08 11:08:22 2047 +# Fingerprint (SHA-256): 19:31:44:F4:31:E0:FD:DB:74:07:17:D4:DE:92:6A:57:11:33:88:4B:43:60:D3:0E:27:29:13:CB:E6:60:CE:41 +# Fingerprint (SHA1): 81:34:0A:BE:4C:CD:CE:CC:E7:7D:CC:8A:D4:57:E2:45:A0:77:5D:CE +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "SwissSign RSA TLS Root CA 2022 - 1" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\201\064\012\276\114\315\316\314\347\175\314\212\324\127\342\105 +\240\167\135\316 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\026\056\344\031\166\201\205\272\216\221\130\361\025\357\162\071 +END +CKA_ISSUER MULTILINE_OCTAL +\060\121\061\013\060\011\006\003\125\004\006\023\002\103\110\061 +\025\060\023\006\003\125\004\012\023\014\123\167\151\163\163\123 +\151\147\156\040\101\107\061\053\060\051\006\003\125\004\003\023 +\042\123\167\151\163\163\123\151\147\156\040\122\123\101\040\124 +\114\123\040\122\157\157\164\040\103\101\040\062\060\062\062\040 +\055\040\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\103\372\014\137\116\033\200\030\104\357\321\264\117\065 +\037\104\364\200\355\313 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "Atos TrustedRoot Root CA ECC TLS 2021" +# +# Issuer: C=DE,O=Atos,CN=Atos TrustedRoot Root CA ECC TLS 2021 +# Serial Number:3d:98:3b:a6:66:3d:90:63:f7:7e:26:57:38:04:ef:00 +# Subject: C=DE,O=Atos,CN=Atos TrustedRoot Root CA ECC TLS 2021 +# Not Valid Before: Thu Apr 22 09:26:23 2021 +# Not Valid After : Wed Apr 17 09:26:22 2041 +# Fingerprint (SHA-256): B2:FA:E5:3E:14:CC:D7:AB:92:12:06:47:01:AE:27:9C:1D:89:88:FA:CB:77:5F:A8:A0:08:91:4E:66:39:88:A8 +# Fingerprint (SHA1): 9E:BC:75:10:42:B3:02:F3:81:F4:F7:30:62:D4:8F:C3:A7:51:B2:DD +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Atos TrustedRoot Root CA ECC TLS 2021" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\114\061\056\060\054\006\003\125\004\003\014\045\101\164\157 +\163\040\124\162\165\163\164\145\144\122\157\157\164\040\122\157 +\157\164\040\103\101\040\105\103\103\040\124\114\123\040\062\060 +\062\061\061\015\060\013\006\003\125\004\012\014\004\101\164\157 +\163\061\013\060\011\006\003\125\004\006\023\002\104\105 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\114\061\056\060\054\006\003\125\004\003\014\045\101\164\157 +\163\040\124\162\165\163\164\145\144\122\157\157\164\040\122\157 +\157\164\040\103\101\040\105\103\103\040\124\114\123\040\062\060 +\062\061\061\015\060\013\006\003\125\004\012\014\004\101\164\157 +\163\061\013\060\011\006\003\125\004\006\023\002\104\105 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\075\230\073\246\146\075\220\143\367\176\046\127\070\004 +\357\000 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\025\060\202\001\233\240\003\002\001\002\002\020\075 +\230\073\246\146\075\220\143\367\176\046\127\070\004\357\000\060 +\012\006\010\052\206\110\316\075\004\003\003\060\114\061\056\060 +\054\006\003\125\004\003\014\045\101\164\157\163\040\124\162\165 +\163\164\145\144\122\157\157\164\040\122\157\157\164\040\103\101 +\040\105\103\103\040\124\114\123\040\062\060\062\061\061\015\060 +\013\006\003\125\004\012\014\004\101\164\157\163\061\013\060\011 +\006\003\125\004\006\023\002\104\105\060\036\027\015\062\061\060 +\064\062\062\060\071\062\066\062\063\132\027\015\064\061\060\064 +\061\067\060\071\062\066\062\062\132\060\114\061\056\060\054\006 +\003\125\004\003\014\045\101\164\157\163\040\124\162\165\163\164 +\145\144\122\157\157\164\040\122\157\157\164\040\103\101\040\105 +\103\103\040\124\114\123\040\062\060\062\061\061\015\060\013\006 +\003\125\004\012\014\004\101\164\157\163\061\013\060\011\006\003 +\125\004\006\023\002\104\105\060\166\060\020\006\007\052\206\110 +\316\075\002\001\006\005\053\201\004\000\042\003\142\000\004\226 +\206\130\050\067\012\147\320\240\336\044\031\031\341\344\005\007 +\037\227\355\350\144\202\271\366\304\161\120\316\212\014\377\327 +\265\166\273\241\154\223\154\203\242\150\156\245\331\276\054\210 +\225\101\315\135\335\261\312\203\143\203\314\300\276\164\331\340 +\235\244\356\112\116\126\340\230\051\101\223\122\020\325\044\070 +\002\062\147\361\224\022\157\357\327\305\336\056\375\031\200\243 +\102\060\100\060\017\006\003\125\035\023\001\001\377\004\005\060 +\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024\166 +\050\045\326\175\340\146\232\172\011\262\152\073\216\063\327\066 +\323\117\242\060\016\006\003\125\035\017\001\001\377\004\004\003 +\002\001\206\060\012\006\010\052\206\110\316\075\004\003\003\003 +\150\000\060\145\002\060\133\231\051\363\234\061\266\211\153\154 +\326\275\167\341\174\347\121\176\270\072\315\243\066\137\174\367 +\074\167\076\344\120\255\250\347\322\131\014\046\216\060\073\156 +\010\052\302\247\132\310\002\061\000\231\343\014\347\243\303\257 +\323\111\056\106\202\043\146\135\311\000\024\022\375\070\364\341 +\230\153\167\051\172\333\044\317\145\100\277\322\334\214\021\350 +\364\175\177\040\204\251\102\344\050 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "Atos TrustedRoot Root CA ECC TLS 2021" +# Issuer: C=DE,O=Atos,CN=Atos TrustedRoot Root CA ECC TLS 2021 +# Serial Number:3d:98:3b:a6:66:3d:90:63:f7:7e:26:57:38:04:ef:00 +# Subject: C=DE,O=Atos,CN=Atos TrustedRoot Root CA ECC TLS 2021 +# Not Valid Before: Thu Apr 22 09:26:23 2021 +# Not Valid After : Wed Apr 17 09:26:22 2041 +# Fingerprint (SHA-256): B2:FA:E5:3E:14:CC:D7:AB:92:12:06:47:01:AE:27:9C:1D:89:88:FA:CB:77:5F:A8:A0:08:91:4E:66:39:88:A8 +# Fingerprint (SHA1): 9E:BC:75:10:42:B3:02:F3:81:F4:F7:30:62:D4:8F:C3:A7:51:B2:DD +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Atos TrustedRoot Root CA ECC TLS 2021" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\236\274\165\020\102\263\002\363\201\364\367\060\142\324\217\303 +\247\121\262\335 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\026\237\255\361\160\255\171\326\355\051\264\321\305\171\160\250 +END +CKA_ISSUER MULTILINE_OCTAL +\060\114\061\056\060\054\006\003\125\004\003\014\045\101\164\157 +\163\040\124\162\165\163\164\145\144\122\157\157\164\040\122\157 +\157\164\040\103\101\040\105\103\103\040\124\114\123\040\062\060 +\062\061\061\015\060\013\006\003\125\004\012\014\004\101\164\157 +\163\061\013\060\011\006\003\125\004\006\023\002\104\105 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\075\230\073\246\146\075\220\143\367\176\046\127\070\004 +\357\000 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + diff --git a/SPECS/cert-manager/CVE-2023-48795.patch b/SPECS/cert-manager/CVE-2023-48795.patch new file mode 100644 index 00000000000..04c7e0ea46f --- /dev/null +++ b/SPECS/cert-manager/CVE-2023-48795.patch @@ -0,0 +1,274 @@ +From 9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Mon, 20 Nov 2023 12:06:18 -0800 +Subject: [PATCH] ssh: implement strict KEX protocol changes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Implement the "strict KEX" protocol changes, as described in section +1.9 of the OpenSSH PROTOCOL file (as of OpenSSH version 9.6/9.6p1). + +Namely this makes the following changes: + * Both the server and the client add an additional algorithm to the + initial KEXINIT message, indicating support for the strict KEX mode. + * When one side of the connection sees the strict KEX extension + algorithm, the strict KEX mode is enabled for messages originating + from the other side of the connection. If the sequence number for + the side which requested the extension is not 1 (indicating that it + has already received non-KEXINIT packets), the connection is + terminated. + * When strict kex mode is enabled, unexpected messages during the + handshake are considered fatal. Additionally when a key change + occurs (on the receipt of the NEWKEYS message) the message sequence + numbers are reset. + +Thanks to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk from Ruhr +University Bochum for reporting this issue. + +Fixes CVE-2023-48795 +Fixes golang/go#64784 + +Change-Id: I96b53afd2bd2fb94d2b6f2a46a5dacf325357604 +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/550715 +Reviewed-by: Nicola Murino +Reviewed-by: Tatiana Bradley +TryBot-Result: Gopher Robot +Run-TryBot: Roland Shoemaker +Reviewed-by: Damien Neil +LUCI-TryBot-Result: Go LUCI + +Modified patch 9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d to apply to CBL-Mariner: +Removed handshake_test.go because cert-manager's vendored code does not include it. +Modified paths for handshake.go and transport.go to line up with the vendor directory. +Modified-by: Tobias Brick +--- + vendor/golang.org/x/crypto/ssh/handshake.go | 56 +++++++++++++++++++-- + vendor/golang.org/x/crypto/ssh/transport.go | 32 ++++++++++-- + 2 files changed, 79 insertions(+), 9 deletions(-) + +diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go +index 07a1843..6d89c8a 100644 +--- a/vendor/golang.org/x/crypto/ssh/handshake.go ++++ b/vendor/golang.org/x/crypto/ssh/handshake.go +@@ -34,6 +34,16 @@ type keyingTransport interface { + // direction will be effected if a msgNewKeys message is sent + // or received. + prepareKeyChange(*algorithms, *kexResult) error ++ ++ // setStrictMode sets the strict KEX mode, notably triggering ++ // sequence number resets on sending or receiving msgNewKeys. ++ // If the sequence number is already > 1 when setStrictMode ++ // is called, an error is returned. ++ setStrictMode() error ++ ++ // setInitialKEXDone indicates to the transport that the initial key exchange ++ // was completed ++ setInitialKEXDone() + } + + // handshakeTransport implements rekeying on top of a keyingTransport +@@ -95,6 +105,10 @@ type handshakeTransport struct { + + // The session ID or nil if first kex did not complete yet. + sessionID []byte ++ ++ // strictMode indicates if the other side of the handshake indicated ++ // that we should be following the strict KEX protocol restrictions. ++ strictMode bool + } + + type pendingKex struct { +@@ -203,7 +217,10 @@ func (t *handshakeTransport) readLoop() { + close(t.incoming) + break + } +- if p[0] == msgIgnore || p[0] == msgDebug { ++ // If this is the first kex, and strict KEX mode is enabled, ++ // we don't ignore any messages, as they may be used to manipulate ++ // the packet sequence numbers. ++ if !(t.sessionID == nil && t.strictMode) && (p[0] == msgIgnore || p[0] == msgDebug) { + continue + } + t.incoming <- p +@@ -435,6 +452,11 @@ func (t *handshakeTransport) readOnePacket(first bool) ([]byte, error) { + return successPacket, nil + } + ++const ( ++ kexStrictClient = "kex-strict-c-v00@openssh.com" ++ kexStrictServer = "kex-strict-s-v00@openssh.com" ++) ++ + // sendKexInit sends a key change message. + func (t *handshakeTransport) sendKexInit() error { + t.mu.Lock() +@@ -448,7 +470,6 @@ func (t *handshakeTransport) sendKexInit() error { + } + + msg := &kexInitMsg{ +- KexAlgos: t.config.KeyExchanges, + CiphersClientServer: t.config.Ciphers, + CiphersServerClient: t.config.Ciphers, + MACsClientServer: t.config.MACs, +@@ -458,6 +479,13 @@ func (t *handshakeTransport) sendKexInit() error { + } + io.ReadFull(rand.Reader, msg.Cookie[:]) + ++ // We mutate the KexAlgos slice, in order to add the kex-strict extension algorithm, ++ // and possibly to add the ext-info extension algorithm. Since the slice may be the ++ // user owned KeyExchanges, we create our own slice in order to avoid using user ++ // owned memory by mistake. ++ msg.KexAlgos = make([]string, 0, len(t.config.KeyExchanges)+2) // room for kex-strict and ext-info ++ msg.KexAlgos = append(msg.KexAlgos, t.config.KeyExchanges...) ++ + isServer := len(t.hostKeys) > 0 + if isServer { + for _, k := range t.hostKeys { +@@ -477,17 +505,24 @@ func (t *handshakeTransport) sendKexInit() error { + msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, keyFormat) + } + } ++ ++ if t.sessionID == nil { ++ msg.KexAlgos = append(msg.KexAlgos, kexStrictServer) ++ } + } else { + msg.ServerHostKeyAlgos = t.hostKeyAlgorithms + + // As a client we opt in to receiving SSH_MSG_EXT_INFO so we know what + // algorithms the server supports for public key authentication. See RFC + // 8308, Section 2.1. ++ // ++ // We also send the strict KEX mode extension algorithm, in order to opt ++ // into the strict KEX mode. + if firstKeyExchange := t.sessionID == nil; firstKeyExchange { +- msg.KexAlgos = make([]string, 0, len(t.config.KeyExchanges)+1) +- msg.KexAlgos = append(msg.KexAlgos, t.config.KeyExchanges...) + msg.KexAlgos = append(msg.KexAlgos, "ext-info-c") ++ msg.KexAlgos = append(msg.KexAlgos, kexStrictClient) + } ++ + } + + packet := Marshal(msg) +@@ -593,6 +628,13 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error { + return err + } + ++ if t.sessionID == nil && ((isClient && contains(serverInit.KexAlgos, kexStrictServer)) || (!isClient && contains(clientInit.KexAlgos, kexStrictClient))) { ++ t.strictMode = true ++ if err := t.conn.setStrictMode(); err != nil { ++ return err ++ } ++ } ++ + // We don't send FirstKexFollows, but we handle receiving it. + // + // RFC 4253 section 7 defines the kex and the agreement method for +@@ -663,6 +705,12 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error { + return unexpectedMessageError(msgNewKeys, packet[0]) + } + ++ if firstKeyExchange { ++ // Indicates to the transport that the first key exchange is completed ++ // after receiving SSH_MSG_NEWKEYS. ++ t.conn.setInitialKEXDone() ++ } ++ + return nil + } + +diff --git a/vendor/golang.org/x/crypto/ssh/transport.go b/vendor/golang.org/x/crypto/ssh/transport.go +index acf5a21..4df45fc 100644 +--- a/vendor/golang.org/x/crypto/ssh/transport.go ++++ b/vendor/golang.org/x/crypto/ssh/transport.go +@@ -48,6 +48,9 @@ type transport struct { + rand io.Reader + isClient bool + io.Closer ++ ++ strictMode bool ++ initialKEXDone bool + } + + // packetCipher represents a combination of SSH encryption/MAC +@@ -73,6 +76,18 @@ type connectionState struct { + pendingKeyChange chan packetCipher + } + ++func (t *transport) setStrictMode() error { ++ if t.reader.seqNum != 1 { ++ return errors.New("ssh: sequence number != 1 when strict KEX mode requested") ++ } ++ t.strictMode = true ++ return nil ++} ++ ++func (t *transport) setInitialKEXDone() { ++ t.initialKEXDone = true ++} ++ + // prepareKeyChange sets up key material for a keychange. The key changes in + // both directions are triggered by reading and writing a msgNewKey packet + // respectively. +@@ -111,11 +126,12 @@ func (t *transport) printPacket(p []byte, write bool) { + // Read and decrypt next packet. + func (t *transport) readPacket() (p []byte, err error) { + for { +- p, err = t.reader.readPacket(t.bufReader) ++ p, err = t.reader.readPacket(t.bufReader, t.strictMode) + if err != nil { + break + } +- if len(p) == 0 || (p[0] != msgIgnore && p[0] != msgDebug) { ++ // in strict mode we pass through DEBUG and IGNORE packets only during the initial KEX ++ if len(p) == 0 || (t.strictMode && !t.initialKEXDone) || (p[0] != msgIgnore && p[0] != msgDebug) { + break + } + } +@@ -126,7 +142,7 @@ func (t *transport) readPacket() (p []byte, err error) { + return p, err + } + +-func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) { ++func (s *connectionState) readPacket(r *bufio.Reader, strictMode bool) ([]byte, error) { + packet, err := s.packetCipher.readCipherPacket(s.seqNum, r) + s.seqNum++ + if err == nil && len(packet) == 0 { +@@ -139,6 +155,9 @@ func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) { + select { + case cipher := <-s.pendingKeyChange: + s.packetCipher = cipher ++ if strictMode { ++ s.seqNum = 0 ++ } + default: + return nil, errors.New("ssh: got bogus newkeys message") + } +@@ -169,10 +188,10 @@ func (t *transport) writePacket(packet []byte) error { + if debugTransport { + t.printPacket(packet, true) + } +- return t.writer.writePacket(t.bufWriter, t.rand, packet) ++ return t.writer.writePacket(t.bufWriter, t.rand, packet, t.strictMode) + } + +-func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet []byte) error { ++func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet []byte, strictMode bool) error { + changeKeys := len(packet) > 0 && packet[0] == msgNewKeys + + err := s.packetCipher.writeCipherPacket(s.seqNum, w, rand, packet) +@@ -187,6 +206,9 @@ func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet [] + select { + case cipher := <-s.pendingKeyChange: + s.packetCipher = cipher ++ if strictMode { ++ s.seqNum = 0 ++ } + default: + panic("ssh: no key material for msgNewKeys") + } +-- +2.33.8 + diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec index a953738b633..75eeaacf7fb 100644 --- a/SPECS/cert-manager/cert-manager.spec +++ b/SPECS/cert-manager/cert-manager.spec @@ -1,7 +1,7 @@ Summary: Automatically provision and manage TLS certificates in Kubernetes Name: cert-manager Version: 1.11.2 -Release: 6%{?dist} +Release: 7%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -19,6 +19,7 @@ Source0: https://github.com/jetstack/%{name}/archive/refs/tags/v%{version # --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ # -cf %%{name}-%%{version}-govendor.tar.gz vendor Source1: %{name}-%{version}-govendor.tar.gz +Patch0: CVE-2023-48795.patch BuildRequires: golang Requires: %{name}-acmesolver Requires: %{name}-cainjector @@ -63,8 +64,10 @@ Summary: cert-manager's webhook binary Webhook component providing API validation, mutation and conversion functionality for cert-manager. %prep -%autosetup -p1 -%setup -q -T -D -a 1 +# We need setup instead of autosetup because we have two sources and need the patch applied +# after both sources have been extracted. +%setup -q -a 1 +%patch -P 0 -p1 %build go build -o bin/acmesolver cmd/acmesolver/main.go @@ -109,6 +112,9 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/ %{_bindir}/webhook %changelog +* Fri Jan 18 2024 Tobias Brick - 1.11.2-7 +- Patch for CVE-2023-48795 + * Mon Oct 16 2023 CBL-Mariner Servicing Account - 1.11.2-6 - Bump release to rebuild with go 1.20.9 diff --git a/SPECS/cloud-hypervisor/CVE-2023-50711-versionize.patch b/SPECS/cloud-hypervisor/CVE-2023-50711-versionize.patch new file mode 100644 index 00000000000..40951b6bcf3 --- /dev/null +++ b/SPECS/cloud-hypervisor/CVE-2023-50711-versionize.patch @@ -0,0 +1,34 @@ +commit 5ce317b8e511d5bd92f1cb154d7136a483121ebf +Author: sindhu +Date: Thu Jan 18 13:58:38 2024 +0000 + + patch: Fix the build break due to versionize. wrap as_mut_fam_struct() with unsafe block + +diff --git a/Cargo.toml b/Cargo.toml +index 30183b6..555e165 100644 +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -56,6 +56,7 @@ kvm-ioctls = { git = "https://github.com/rust-vmm/kvm-ioctls", branch = "main" } + versionize_derive = { git = "https://github.com/cloud-hypervisor/versionize_derive", branch = "ch" } + vmm-sys-util = { path="vendor/vmm-sys-util/" } + vhost = { path="vendor/vhost" } ++versionize = { path="vendor/versionize" } + + [dev-dependencies] + dirs = "5.0.0" +diff --git a/vendor/versionize/src/primitives.rs b/vendor/versionize/src/primitives.rs +index f388b0d..3ffdc95 100644 +--- a/vendor/versionize/src/primitives.rs ++++ b/vendor/versionize/src/primitives.rs +@@ -386,7 +386,10 @@ where + let mut object = FamStructWrapper::from_entries(&entries) + .map_err(|ref err| VersionizeError::Deserialize(format!("{:?}", err)))?; + // Update Default T with the deserialized header. +- *object.as_mut_fam_struct() = header; ++ // SAFETY: We are not modifying the `len` field of the vhost-vdpa fam-struct ++ unsafe { ++ *object.as_mut_fam_struct() = header; ++ } + Ok(object) + } + diff --git a/SPECS/cloud-hypervisor/CVE-2023-50711-vhost.patch b/SPECS/cloud-hypervisor/CVE-2023-50711-vhost.patch new file mode 100644 index 00000000000..8c7d8353ff3 --- /dev/null +++ b/SPECS/cloud-hypervisor/CVE-2023-50711-vhost.patch @@ -0,0 +1,59 @@ +commit 849c99eb06297d88747b551015c8e18387c11adb +Author: sindhu +Date: Thu Jan 18 16:55:12 2024 +0000 + + Add vhost to the list of patched vendor crates + +diff --git a/Cargo.toml b/Cargo.toml +index 2d9e89d..30183b6 100644 +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -55,6 +55,7 @@ kvm-bindings = { git = "https://github.com/cloud-hypervisor/kvm-bindings", branc + kvm-ioctls = { git = "https://github.com/rust-vmm/kvm-ioctls", branch = "main" } + versionize_derive = { git = "https://github.com/cloud-hypervisor/versionize_derive", branch = "ch" } + vmm-sys-util = { path="vendor/vmm-sys-util/" } ++vhost = { path="vendor/vhost" } + + [dev-dependencies] + dirs = "5.0.0" + +commit 321085b2ea7bd818942be7954f3daaba1fa34293 +Author: Patrick Roy +Date: Tue Jan 2 11:57:50 2024 +0000 + + Update vmm-sys-util to 0.12.1 + + The update brings a fix for a security vulnerability behind + feature-gated code not used by vhost (the `with-serde` feature), + see GHSA-875g-mfp6-g7f9 + + Signed-off-by: Patrick Roy + +diff --git a/vendor/vhost/src/vhost_kern/vdpa.rs b/vendor/vhost/src/vhost_kern/vdpa.rs +index 39929c3..f2fd2f9 100644 +--- a/vendor/vhost/src/vhost_kern/vdpa.rs ++++ b/vendor/vhost/src/vhost_kern/vdpa.rs +@@ -85,7 +85,10 @@ impl VhostVdpa for VhostKernVdpa { + let mut config = VhostVdpaConfig::new(buffer.len()) + .map_err(|_| Error::IoctlError(IOError::from_raw_os_error(libc::ENOMEM)))?; + +- config.as_mut_fam_struct().off = offset; ++ // SAFETY: We are not modifying the `len` field of the vhost-vdpa fam-struct ++ unsafe { ++ config.as_mut_fam_struct().off = offset; ++ } + + let ret = unsafe { + ioctl_with_ptr( +@@ -104,7 +107,10 @@ impl VhostVdpa for VhostKernVdpa { + let mut config = VhostVdpaConfig::new(buffer.len()) + .map_err(|_| Error::IoctlError(IOError::from_raw_os_error(libc::ENOMEM)))?; + +- config.as_mut_fam_struct().off = offset; ++ // SAFETY: We are not modifying the `len` field of the vhost-vdpa fam-struct ++ unsafe { ++ config.as_mut_fam_struct().off = offset; ++ } + config.as_mut_slice().copy_from_slice(buffer); + + let ret = diff --git a/SPECS/cloud-hypervisor/CVE-2023-50711-vmm-sys-util.patch b/SPECS/cloud-hypervisor/CVE-2023-50711-vmm-sys-util.patch new file mode 100644 index 00000000000..0933d917349 --- /dev/null +++ b/SPECS/cloud-hypervisor/CVE-2023-50711-vmm-sys-util.patch @@ -0,0 +1,361 @@ +commit 155a240bcff3007182776e36728f79ff40fe4d3d +Author: sindhu +Date: Thu Jan 18 16:14:30 2024 +0000 + + Add vmm-sys-util to the list of patched vendor crates + +diff --git a/Cargo.toml b/Cargo.toml +index 69ce35d..2d9e89d 100644 +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -54,6 +54,7 @@ vm-memory = "0.10.0" + kvm-bindings = { git = "https://github.com/cloud-hypervisor/kvm-bindings", branch = "ch-v0.6.0-tdx" } + kvm-ioctls = { git = "https://github.com/rust-vmm/kvm-ioctls", branch = "main" } + versionize_derive = { git = "https://github.com/cloud-hypervisor/versionize_derive", branch = "ch" } ++vmm-sys-util = { path="vendor/vmm-sys-util/" } + + [dev-dependencies] + dirs = "5.0.0" +commit 5d4b972efd57964b076231d37b254e60a49350bd +Author: Sindhu Karri +Date: Tue Jan 16 09:54:26 2024 +0000 +Subject: [PATCH] fix: deserialization issue of FamStructWrapper with serde + + Source commit: https://github.com/rust-vmm/vmm-sys-util/commit/30172fca2a8e0a38667d934ee56682247e13f167 + +diff --git a/vendor/vmm-sys-util/Cargo.toml b/vendor/vmm-sys-util/Cargo.toml +index f1da15c..9def507 100644 +--- a/vendor/vmm-sys-util/Cargo.toml ++++ b/vendor/vmm-sys-util/Cargo.toml +@@ -32,6 +32,8 @@ version = "1.0.27" + optional = true + [dev-dependencies.serde_json] + version = "1.0.9" ++[dev-dependencies.bincode] ++version = "1.3.3" + + [features] + with-serde = ["serde", "serde_derive"] +diff --git a/vendor/vmm-sys-util/src/fam.rs b/vendor/vmm-sys-util/src/fam.rs +index 0d62b0f..abdfd2d 100644 +--- a/vendor/vmm-sys-util/src/fam.rs ++++ b/vendor/vmm-sys-util/src/fam.rs +@@ -99,7 +99,7 @@ impl fmt::Display for Error { + /// self.len as usize + /// } + /// +-/// fn set_len(&mut self, len: usize) { ++/// unsafe fn set_len(&mut self, len: usize) { + /// self.len = len as u32 + /// } + /// +@@ -135,7 +135,12 @@ pub unsafe trait FamStruct { + /// + /// These type of structures contain a member that holds the FAM length. + /// This method will set the value of that member. +- fn set_len(&mut self, len: usize); ++ /// ++ /// # Safety ++ /// ++ /// The caller needs to ensure that `len` here reflects the correct number of entries of the ++ /// flexible array part of the struct. ++ unsafe fn set_len(&mut self, len: usize); + + /// Get max allowed FAM length + /// +@@ -214,7 +219,11 @@ impl FamStructWrapper { + // SAFETY: Safe as long T follows the requirements of being POD. + mem_allocator.push(unsafe { mem::zeroed() }) + } +- mem_allocator[0].set_len(num_elements); ++ // SAFETY: The flexible array part of the struct has `num_elements` capacity. We just ++ // initialized this in `mem_allocator`. ++ unsafe { ++ mem_allocator[0].set_len(num_elements); ++ } + + Ok(FamStructWrapper { mem_allocator }) + } +@@ -270,8 +279,8 @@ impl FamStructWrapper { + &self.mem_allocator[0] + } + +- /// Get a mut reference to the actual [`FamStruct`](trait.FamStruct.html) instance. +- pub fn as_mut_fam_struct(&mut self) -> &mut T { ++ // Get a mut reference to the actual [`FamStruct`](trait.FamStruct.html) instance. ++ fn as_mut_fam_struct(&mut self) -> &mut T { + &mut self.mem_allocator[0] + } + +@@ -382,7 +391,11 @@ impl FamStructWrapper { + self.mem_allocator[i] = unsafe { mem::zeroed() } + } + // Update the len of the underlying `FamStruct`. +- self.as_mut_fam_struct().set_len(len); ++ // SAFETY: We just adjusted the memory for the underlying `mem_allocator` to hold `len` ++ // entries. ++ unsafe { ++ self.as_mut_fam_struct().set_len(len); ++ } + + // If the len needs to be decreased, deallocate unnecessary memory + if additional_elements < 0 { +@@ -527,13 +540,23 @@ where + { + use serde::de::Error; + +- let header = seq ++ let header: X = seq + .next_element()? + .ok_or_else(|| de::Error::invalid_length(0, &self))?; + let entries: Vec = seq + .next_element()? + .ok_or_else(|| de::Error::invalid_length(1, &self))?; + ++ if header.len() != entries.len() { ++ let msg = format!( ++ "Mismatch between length of FAM specified in FamStruct header ({}) \ ++ and actual size of FAM ({})", ++ header.len(), ++ entries.len() ++ ); ++ return Err(V::Error::custom(msg)); ++ } ++ + let mut result: Self::Value = FamStructWrapper::from_entries(entries.as_slice()) + .map_err(|e| V::Error::custom(format!("{:?}", e)))?; + result.mem_allocator[0] = header; +@@ -557,7 +580,7 @@ macro_rules! generate_fam_struct_impl { + self.$field_name as usize + } + +- fn set_len(&mut self, len: usize) { ++ unsafe fn set_len(&mut self, len: usize) { + self.$field_name = len as $field_type; + } + +@@ -589,7 +612,7 @@ mod tests { + const MAX_LEN: usize = 100; + + #[repr(C)] +- #[derive(Default, PartialEq, Eq)] ++ #[derive(Default, Debug, PartialEq, Eq)] + pub struct __IncompleteArrayField(::std::marker::PhantomData, [T; 0]); + impl __IncompleteArrayField { + #[inline] +@@ -1045,4 +1068,29 @@ mod tests { + assert_eq!(wrapper2.as_mut_fam_struct().flags, 2); + assert_eq!(wrapper2.as_slice(), [0, 0, 0, 3, 14, 0, 0, 1]); + } ++ ++ #[cfg(feature = "with-serde")] ++ #[test] ++ fn test_bad_deserialize() { ++ #[repr(C)] ++ #[derive(Default, Debug, PartialEq, Serialize, Deserialize)] ++ struct Foo { ++ pub len: u32, ++ pub padding: u32, ++ pub entries: __IncompleteArrayField, ++ } ++ ++ generate_fam_struct_impl!(Foo, u32, entries, u32, len, 100); ++ ++ let state = FamStructWrapper::::new(0).unwrap(); ++ let mut bytes = bincode::serialize(&state).unwrap(); ++ ++ // The `len` field of the header is the first to be serialized. ++ // Writing at position 0 of the serialized data should change its value. ++ bytes[0] = 255; ++ ++ assert!( ++ matches!(bincode::deserialize::>(&bytes).map_err(|boxed| *boxed), Err(bincode::ErrorKind::Custom(s)) if s == *"Mismatch between length of FAM specified in FamStruct header (255) and actual size of FAM (0)") ++ ); ++ } + } +commit 0023b3e3f137062b3a94364c4b154532e7ac2082 +Author: Sindhu Karri +Date: Tue Jan 16 10:50:50 2024 +0000 +Subject: [PATCH] Backported patch to make as_mut_fam_struct() unsafe public + + Source commit: e310864ba971b67a2a4e33ebfc826eda4296a0c6 in vmm-sys-util + PR link: https://github.com/rust-vmm/vmm-sys-util/pull/215 + +diff --git a/vendor/vmm-sys-util/src/fam.rs b/vendor/vmm-sys-util/src/fam.rs +index abdfd2d..caa7304 100644 +--- a/vendor/vmm-sys-util/src/fam.rs ++++ b/vendor/vmm-sys-util/src/fam.rs +@@ -50,6 +50,8 @@ impl fmt::Display for Error { + /// * the implementer should be a POD + /// * the implementor should contain a flexible array member of elements of type `Entry` + /// * `Entry` should be a POD ++/// * the implementor should ensures that the FAM length as returned by [`FamStruct::len()`] ++/// always describes correctly the length of the flexible array member. + /// + /// Violating these may cause problems. + /// +@@ -243,7 +245,8 @@ impl FamStructWrapper { + let mut adapter = FamStructWrapper::::new(entries.len())?; + + { +- let wrapper_entries = adapter.as_mut_fam_struct().as_mut_slice(); ++ // SAFETY: We are not modifying the length of the FamStruct ++ let wrapper_entries = unsafe { adapter.as_mut_fam_struct().as_mut_slice() }; + wrapper_entries.copy_from_slice(entries); + } + +@@ -279,8 +282,13 @@ impl FamStructWrapper { + &self.mem_allocator[0] + } + +- // Get a mut reference to the actual [`FamStruct`](trait.FamStruct.html) instance. +- fn as_mut_fam_struct(&mut self) -> &mut T { ++ /// Get a mut reference to the actual [`FamStruct`](trait.FamStruct.html) instance. ++ /// ++ /// # Safety ++ /// ++ /// Callers must not use the reference returned to modify the `len` filed of the underlying ++ /// `FamStruct`. See also the top-level documentation of [`FamStruct`]. ++ pub unsafe fn as_mut_fam_struct(&mut self) -> &mut T { + &mut self.mem_allocator[0] + } + +@@ -303,7 +311,8 @@ impl FamStructWrapper { + /// Modifying the container referenced by this pointer may cause its buffer + /// to be reallocated, which would also make any pointers to it invalid. + pub fn as_mut_fam_struct_ptr(&mut self) -> *mut T { +- self.as_mut_fam_struct() ++ // SAFETY: We do not change the length of the underlying FamStruct. ++ unsafe { self.as_mut_fam_struct() } + } + + /// Get the elements slice. +@@ -313,7 +322,8 @@ impl FamStructWrapper { + + /// Get the mutable elements slice. + pub fn as_mut_slice(&mut self) -> &mut [T::Entry] { +- self.as_mut_fam_struct().as_mut_slice() ++ // SAFETY: We do not change the length of the underlying FamStruct. ++ unsafe { self.as_mut_fam_struct() }.as_mut_slice() + } + + /// Get the number of elements of type `FamStruct::Entry` currently in the vec. +@@ -482,7 +492,7 @@ impl Clone for FamStructWrapper { + + let mut adapter = FamStructWrapper { mem_allocator }; + { +- let wrapper_entries = adapter.as_mut_fam_struct().as_mut_slice(); ++ let wrapper_entries = adapter.as_mut_slice(); + wrapper_entries.copy_from_slice(self.as_slice()); + } + adapter +@@ -933,7 +943,7 @@ mod tests { + assert_eq!(payload[0], 0xA5); + assert_eq!(payload[1], 0x1e); + } +- assert_eq!(wrapper.as_mut_fam_struct().padding, 5); ++ assert_eq!(unsafe { wrapper.as_mut_fam_struct() }.padding, 5); + let data = wrapper.into_raw(); + assert_eq!(data[0].len, 2); + assert_eq!(data[0].padding, 5); +@@ -1019,54 +1029,57 @@ mod tests { + type FooFamStructWrapper = FamStructWrapper; + + let mut wrapper = FooFamStructWrapper::new(0).unwrap(); +- wrapper.as_mut_fam_struct().index = 1; +- wrapper.as_mut_fam_struct().flags = 2; +- wrapper.as_mut_fam_struct().length = 3; +- wrapper.push(3).unwrap(); +- wrapper.push(14).unwrap(); +- assert_eq!(wrapper.as_slice().len(), 3 + 2); +- assert_eq!(wrapper.as_slice()[3], 3); +- assert_eq!(wrapper.as_slice()[3 + 1], 14); +- +- let mut wrapper2 = wrapper.clone(); +- assert_eq!( +- wrapper.as_mut_fam_struct().index, +- wrapper2.as_mut_fam_struct().index +- ); +- assert_eq!( +- wrapper.as_mut_fam_struct().length, +- wrapper2.as_mut_fam_struct().length +- ); +- assert_eq!( +- wrapper.as_mut_fam_struct().flags, +- wrapper2.as_mut_fam_struct().flags +- ); +- assert_eq!(wrapper.as_slice(), wrapper2.as_slice()); +- assert_eq!( +- wrapper2.as_slice().len(), +- wrapper2.as_mut_fam_struct().length as usize +- ); +- assert!(wrapper == wrapper2); ++ // SAFETY: We do play with length here, but that's just for testing purposes :) ++ unsafe { ++ wrapper.as_mut_fam_struct().index = 1; ++ wrapper.as_mut_fam_struct().flags = 2; ++ wrapper.as_mut_fam_struct().length = 3; ++ wrapper.push(3).unwrap(); ++ wrapper.push(14).unwrap(); ++ assert_eq!(wrapper.as_slice().len(), 3 + 2); ++ assert_eq!(wrapper.as_slice()[3], 3); ++ assert_eq!(wrapper.as_slice()[3 + 1], 14); ++ ++ let mut wrapper2 = wrapper.clone(); ++ assert_eq!( ++ wrapper.as_mut_fam_struct().index, ++ wrapper2.as_mut_fam_struct().index ++ ); ++ assert_eq!( ++ wrapper.as_mut_fam_struct().length, ++ wrapper2.as_mut_fam_struct().length ++ ); ++ assert_eq!( ++ wrapper.as_mut_fam_struct().flags, ++ wrapper2.as_mut_fam_struct().flags ++ ); ++ assert_eq!(wrapper.as_slice(), wrapper2.as_slice()); ++ assert_eq!( ++ wrapper2.as_slice().len(), ++ wrapper2.as_mut_fam_struct().length as usize ++ ); ++ assert!(wrapper == wrapper2); + +- wrapper.as_mut_fam_struct().index = 3; +- assert!(wrapper != wrapper2); ++ wrapper.as_mut_fam_struct().index = 3; ++ assert!(wrapper != wrapper2); + +- wrapper.as_mut_fam_struct().length = 7; +- assert!(wrapper != wrapper2); ++ wrapper.as_mut_fam_struct().length = 7; ++ assert!(wrapper != wrapper2); + +- wrapper.push(1).unwrap(); +- assert_eq!(wrapper.as_mut_fam_struct().length, 8); +- assert!(wrapper != wrapper2); ++ wrapper.push(1).unwrap(); ++ assert_eq!(wrapper.as_mut_fam_struct().length, 8); ++ assert!(wrapper != wrapper2); + +- let mut wrapper2 = wrapper.clone(); +- assert!(wrapper == wrapper2); ++ let mut wrapper2 = wrapper.clone(); ++ assert!(wrapper == wrapper2); + +- // Dropping the original variable should not affect its clone. +- drop(wrapper); +- assert_eq!(wrapper2.as_mut_fam_struct().index, 3); +- assert_eq!(wrapper2.as_mut_fam_struct().length, 8); +- assert_eq!(wrapper2.as_mut_fam_struct().flags, 2); +- assert_eq!(wrapper2.as_slice(), [0, 0, 0, 3, 14, 0, 0, 1]); ++ // Dropping the original variable should not affect its clone. ++ drop(wrapper); ++ assert_eq!(wrapper2.as_mut_fam_struct().index, 3); ++ assert_eq!(wrapper2.as_mut_fam_struct().length, 8); ++ assert_eq!(wrapper2.as_mut_fam_struct().flags, 2); ++ assert_eq!(wrapper2.as_slice(), [0, 0, 0, 3, 14, 0, 0, 1]); ++ } + } + + #[cfg(feature = "with-serde")] diff --git a/SPECS/cloud-hypervisor/cloud-hypervisor.spec b/SPECS/cloud-hypervisor/cloud-hypervisor.spec index ed774384446..ca9342d2489 100644 --- a/SPECS/cloud-hypervisor/cloud-hypervisor.spec +++ b/SPECS/cloud-hypervisor/cloud-hypervisor.spec @@ -5,7 +5,7 @@ Summary: Cloud Hypervisor is an open source Virtual Machine Monitor (VMM) that runs on top of KVM. Name: cloud-hypervisor Version: 32.0 -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 OR BSD-3-clause Vendor: Microsoft Corporation Distribution: Mariner @@ -19,9 +19,13 @@ Source0: https://github.com/cloud-hypervisor/cloud-hypervisor/archive/ref # cd %{name}-%{version} # cargo vendor > config.toml # tar -czf %{name}-%{version}-cargo.tar.gz vendor/ +# rename the tarball to %{name}-%{version}-cargo.tar.gz when updating version Source1: %{name}-%{version}-cargo.tar.gz Source2: config.toml Patch0: CVE-2023-45853.patch +Patch1: CVE-2023-50711-vmm-sys-util.patch +Patch2: CVE-2023-50711-vhost.patch +Patch3: CVE-2023-50711-versionize.patch %endif BuildRequires: binutils @@ -75,6 +79,9 @@ tar xf %{SOURCE1} pushd vendor/libz-sys/src/zlib %patch0 -p1 popd +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 mkdir -p .cargo cp %{SOURCE2} .cargo/ %endif @@ -155,6 +162,9 @@ cargo build --release --target=%{rust_musl_target} --package vhost_user_block %{ %license LICENSE-BSD-3-Clause %changelog +* Mon Jan 15 2024 Sindhu Karri - 32.0-3 +- Patch CVE-2023-50711 in vendor/vmm-sys-util, vendor/vhost, vendor/versionize + * Mon Oct 23 2023 Rohit Rawat - 32.0-2 - Patch CVE-2023-45853 in vendor/libz-sys/src/zlib diff --git a/SPECS/cloud-init/Retain-exit-code-in-cloud-init-status-for-recoverabl.patch b/SPECS/cloud-init/Retain-exit-code-in-cloud-init-status-for-recoverabl.patch new file mode 100644 index 00000000000..f9410feba87 --- /dev/null +++ b/SPECS/cloud-init/Retain-exit-code-in-cloud-init-status-for-recoverabl.patch @@ -0,0 +1,46 @@ +From 66d82824f7ab18d12ca8020f6df31ce1c19e550c Mon Sep 17 00:00:00 2001 +From: Chris Co +Date: Wed, 10 Jan 2024 06:21:24 +0000 +Subject: [PATCH] Retain exit code in cloud-init status for recoverable errors + +Description: Retain exit code in cloud-init status for recoverable errors + (LP: #2048522). +Author: Alberto Contreras +Last-Update: 2024-01-08 +--- + +Modifed-by: Chris Co +--- + cloudinit/cmd/status.py | 2 +- + tests/unittests/cmd/test_status.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/cloudinit/cmd/status.py b/cloudinit/cmd/status.py +index 249fc91..7bdfa4b 100644 +--- a/cloudinit/cmd/status.py ++++ b/cloudinit/cmd/status.py +@@ -225,7 +225,7 @@ def handle_status_args(name, args) -> int: + return 1 + # Recoverable error + elif details.status in UXAppStatusDegradedMap.values(): +- return 2 ++ return 0 + return 0 + + +diff --git a/tests/unittests/cmd/test_status.py b/tests/unittests/cmd/test_status.py +index 6e4eac4..244acc1 100644 +--- a/tests/unittests/cmd/test_status.py ++++ b/tests/unittests/cmd/test_status.py +@@ -644,7 +644,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin + }, + None, + MyArgs(long=False, wait=False, format="json"), +- 2, ++ 0, + { + "boot_status_code": "enabled-by-kernel-cmdline", + "datasource": "nocloud", +-- +2.33.8 + diff --git a/SPECS/cloud-init/cloud-init.signatures.json b/SPECS/cloud-init/cloud-init.signatures.json index 0a4179948c9..68dc8ded353 100644 --- a/SPECS/cloud-init/cloud-init.signatures.json +++ b/SPECS/cloud-init/cloud-init.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { "10-azure-kvp.cfg": "79e0370c010be5cd4717960e4b414570c9ec6e6d29aede77ccecc43d2b03bb9a", - "cloud-init-23.3.tar.gz": "1a5a54369f78891b79f43061c1ff0fb31e2bd74ff9527d7150ddd6517c3e2b07" + "cloud-init-23.4.1.tar.gz": "f12d207cf147ab981787487d38cda09ee71975505df224c96a6cf1d59f53ca2f" } } diff --git a/SPECS/cloud-init/cloud-init.spec b/SPECS/cloud-init/cloud-init.spec index af09c296a9e..5fa5c02e57d 100644 --- a/SPECS/cloud-init/cloud-init.spec +++ b/SPECS/cloud-init/cloud-init.spec @@ -1,7 +1,7 @@ Summary: Cloud instance init scripts Name: cloud-init -Version: 23.3 -Release: 1%{?dist} +Version: 23.4.1 +Release: 2%{?dist} License: GPLv3 Vendor: Microsoft Corporation Distribution: Mariner @@ -9,12 +9,12 @@ Group: System Environment/Base URL: https://launchpad.net/cloud-init Source0: https://launchpad.net/cloud-init/trunk/%{version}/+download/%{name}-%{version}.tar.gz Source1: 10-azure-kvp.cfg -Patch0: overrideDatasourceDetection.patch +Patch0: Retain-exit-code-in-cloud-init-status-for-recoverabl.patch %define cl_services cloud-config.service cloud-config.target cloud-final.service cloud-init.service cloud-init.target cloud-init-local.service BuildRequires: automake BuildRequires: dbus BuildRequires: iproute -BuildRequires: mariner-release +BuildRequires: mariner-release BuildRequires: python3 BuildRequires: python3-PyYAML BuildRequires: python3-certifi @@ -23,7 +23,9 @@ BuildRequires: python3-configobj BuildRequires: python3-idna BuildRequires: python3-ipaddr BuildRequires: python3-jinja2 +BuildRequires: python3-jsonschema BuildRequires: python3-libs +BuildRequires: python3-netifaces BuildRequires: python3-requests BuildRequires: python3-setuptools BuildRequires: python3-six @@ -80,7 +82,7 @@ python3 setup.py build %install %{py3_install "--init-system=systemd"} -python3 tools/render-cloudcfg --variant mariner > %{buildroot}/%{_sysconfdir}/cloud/cloud.cfg +python3 tools/render-template --variant mariner > %{buildroot}/%{_sysconfdir}/cloud/cloud.cfg sed -i "s,@@PACKAGED_VERSION@@,%{version}-%{release}," %{buildroot}/%{python3_sitelib}/cloudinit/version.py %if "%{_arch}" == "aarch64" @@ -143,6 +145,17 @@ make check %{?_smp_mflags} %config(noreplace) %{_sysconfdir}/cloud/cloud.cfg.d/10-azure-kvp.cfg %changelog +* Fri Jan 19 2024 Chris Co - 23.4.1-2 +- Add patch to retain exit code for recoverable errors + +* Fri Jan 19 2024 Chris Co - 23.4.1-1 +- Upgrade cloud-init to 23.4.1 +- Remove overrideDatasourceDetection patch since it is now in 23.4 source + +* Thu Jan 18 2024 Pawel Winogrodzki - 23.3-2 +- Switching to our version of 'jsonschema' to keep the tests more stable. +- Fixing source URL. + * Tue Oct 10 2023 Minghe Ren - 23.3-1 - Upgrade to cloud-init 23.3 and remove unnecessary testGetInterfacesUnitTest.patch @@ -150,7 +163,7 @@ make check %{?_smp_mflags} - Add patch overrideDatasourceDetection bug from upstream * Thu Aug 24 2023 Minghe Ren - 23.2-3 -- Remove the line prohibits cloud-init log dumping to serial console +- Remove the line prohibits cloud-init log dumping to serial console * Fri Aug 11 2023 Minghe Ren - 23.2-2 - Add patch for unit test failure diff --git a/SPECS/cloud-init/overrideDatasourceDetection.patch b/SPECS/cloud-init/overrideDatasourceDetection.patch deleted file mode 100644 index dc6ed5b5cee..00000000000 --- a/SPECS/cloud-init/overrideDatasourceDetection.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 35988cc4452f7df42e3c1b462731489bd33dade6 Mon Sep 17 00:00:00 2001 -From: Chris Patterson -Date: Mon, 11 Sep 2023 16:56:06 -0400 -Subject: [PATCH] sources: do not override datasource detection if None is in - list - -Users with datasource_list = [Azure, None] started failing to boot -properly outside of Azure with the changes to override datasource detection. - -If the fallback "None" is included in the datasource_list, do not treat -the system as configured with a single datasource. - -If users want to force a single datasource regardless of detection, -they can do so by removing None from the list. - -Signed-off-by: Chris Patterson ---- - cloudinit/sources/__init__.py | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff -ruN a/cloudinit/sources/__init__.py b/cloudinit/sources/__init__.py ---- a/cloudinit/sources/__init__.py 2023-08-28 09:20:24.000000000 -0700 -+++ b/cloudinit/sources/__init__.py 2023-09-13 15:00:23.287549869 -0700 -@@ -352,10 +352,7 @@ - self, - ) - return True -- elif self.sys_cfg.get("datasource_list", []) in ( -- [self.dsname], -- [self.dsname, "None"], -- ): -+ elif self.sys_cfg.get("datasource_list", []) == [self.dsname]: - LOG.debug( - "Machine is configured to run on single datasource %s.", self - ) diff --git a/SPECS/coredns/CVE-2023-44487.patch b/SPECS/coredns/CVE-2023-44487.patch new file mode 100644 index 00000000000..e8c1d327535 --- /dev/null +++ b/SPECS/coredns/CVE-2023-44487.patch @@ -0,0 +1,152 @@ +From b225e7ca6dde1ef5a5ae5ce922861bda011cfabd Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go +--- + + vendor/golang.org/x/net/http2/server.go | 66 ++++++++++++++++++++++++- + vendor/golang.org/x/net/http2/server_test.go | 113 +++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 177 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index de60fa88f..02c88b6b3 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -581,9 +581,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + peerMaxHeaderListSize uint32 // zero means unknown (default) +@@ -981,6 +983,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -1020,6 +1024,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -2017,8 +2022,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + st.readDeadline = time.AfterFunc(sc.hs.ReadTimeout, st.onReadTimeout) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (sc *serverConn) upgradeRequest(req *http.Request) { +@@ -2038,6 +2042,10 @@ func (sc *serverConn) upgradeRequest(req *http.Request) { + sc.conn.SetReadDeadline(time.Time{}) + } + ++ // This is the first request on the connection, ++ // so start the handler directly rather than going ++ // through scheduleHandler. ++ sc.curHandlers++ + go sc.runHandler(rw, req, sc.handler.ServeHTTP) + } + +@@ -2278,8 +2286,62 @@ func (sc *serverConn) newResponseWriter(st *stream, req *http.Request) *response + return &responseWriter{rws: rws} + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm)) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() diff --git a/SPECS/coredns/coredns.signatures.json b/SPECS/coredns/coredns.signatures.json index 9104f96f893..86eb2d8f4de 100644 --- a/SPECS/coredns/coredns.signatures.json +++ b/SPECS/coredns/coredns.signatures.json @@ -3,4 +3,4 @@ "coredns-1.11.1.tar.gz": "4e1cde1759d1705baa9375127eb405cd2f5031f9152947bb958a51fee5898d8c", "coredns-1.11.1-vendor.tar.gz": "f6713fb6bdb6da88bab4c93a53317907991fa2e304cc2f224bfee88df6c26846" } -} \ No newline at end of file +} diff --git a/SPECS/coredns/coredns.spec b/SPECS/coredns/coredns.spec index df018f3d6c0..45551362bec 100644 --- a/SPECS/coredns/coredns.spec +++ b/SPECS/coredns/coredns.spec @@ -3,7 +3,7 @@ Summary: Fast and flexible DNS server Name: coredns Version: 1.11.1 -Release: 1%{?dist} +Release: 2%{?dist} License: Apache License 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -32,22 +32,37 @@ Source0: %{name}-%{version}.tar.gz Source1: %{name}-%{version}-vendor.tar.gz Patch0: makefile-buildoption-commitnb.patch +# Patch for old x/net/http2 vendored code, apply after vendored code is extracted. +Patch1000: CVE-2023-44487.patch + BuildRequires: golang >= 1.12 %description CoreDNS is a fast and flexible DNS server. %prep -%autosetup -p1 +%autosetup -N +%autopatch -p1 -M 999 %build # create vendor folder from the vendor tarball and set vendor mode tar -xf %{SOURCE1} --no-same-owner +patch -p1 < %{PATCH1000} export BUILDOPTS="-mod=vendor -v" # set commit number that correspond to the github tag for that version export GITCOMMIT="ae2bbc29be1aaae0b3ded5d188968a6c97bb3144" make +%check +# From go.test.yml +go install github.com/fatih/faillint@latest && \ +(cd request && go test -v -race ./...) && \ +(cd core && go test -v -race ./...) && \ +(cd coremain && go test -v -race ./...) && \ +(cd plugin && go test -v -race ./...) && \ +(cd test && go test -v -race ./...) && \ +./coredns -version + %install install -m 755 -d %{buildroot}%{_bindir} install -p -m 755 -t %{buildroot}%{_bindir} %{name} @@ -58,6 +73,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} %{name} %{_bindir}/%{name} %changelog +* Mon Jan 29 2024 Daniel McIlvaney - 1.11.1-2 +- Address CVE-2023-44487 by patching vendored golang.org/x/net + * Tue Oct 18 2023 Nicolas Guibourge - 1.11.1-1 - Upgrade to 1.11.1 to match version required by kubernetes diff --git a/SPECS/curl/curl.spec b/SPECS/curl/curl.spec index f0d9ba93de1..985bdca4b8b 100644 --- a/SPECS/curl/curl.spec +++ b/SPECS/curl/curl.spec @@ -1,7 +1,7 @@ Summary: An URL retrieval utility and library Name: curl Version: 8.5.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Vendor: Microsoft Corporation Distribution: Mariner @@ -85,6 +85,9 @@ find %{buildroot} -type f -name "*.la" -delete -print %{_libdir}/libcurl.so.* %changelog +* Wed Jan 17 2024 Harshit Gupta - 8.5.0-2 +- Release bump with no changes to force a rebuild and consume new libssh2 build + * Tue Dec 19 2023 CBL-Mariner Servicing Account - 8.5.0-1 - Auto-upgrade to 8.5.0 - CVE-2023-46219 diff --git a/SPECS/dracut/20overlayfs/module-setup.sh b/SPECS/dracut/20overlayfs/module-setup.sh new file mode 100755 index 00000000000..46ef040d113 --- /dev/null +++ b/SPECS/dracut/20overlayfs/module-setup.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +check() { + return 0 +} + +depends() { + echo base +} + +# Install Overlay driver. +installkernel() { + instmods overlay +} + +install() { + inst_hook pre-pivot 10 "$moddir/overlayfs-mount.sh" +} diff --git a/SPECS/dracut/20overlayfs/overlayfs-mount.sh b/SPECS/dracut/20overlayfs/overlayfs-mount.sh new file mode 100755 index 00000000000..76dbe030463 --- /dev/null +++ b/SPECS/dracut/20overlayfs/overlayfs-mount.sh @@ -0,0 +1,127 @@ +#!/bin/sh + +# Description: This script is designed to mount a DM-Verity root filesystem and +# set up an OverlayFS. It is driven by kernel parameters and is invoked during +# the dracut initramfs phase. + +# Kernel Parameters: +# - root: Specifies the path to the root filesystem. This script is designed to +# support both DM-Verity protected devices and general filesystems. When a +# DM-Verity protected device is detected (typically '/dev/mapper/root' for +# systemd), the script performs steps specific to Verity. For non-DM-Verity +# setups, the script will proceed with the standard OverlayFS setup, ensuring +# versatility in its application. +# - rd.overlayfs: A comma-separated list defining the OverlayFS configuration. +# Each entry should specify the overlay, upper, and work directories for an +# OverlayFS instance. +# - rd.overlayfs_persistent_volume: Specifies the path to a persistent storage +# volume to be used by OverlayFS. If not provided, a volatile (tmpfs) overlay +# is created. + +# Behavior: +# - Verifies the presence of the 'dracut-lib' for necessary utilities. +# - Mounts the DM-Verity root filesystem as read-only at a predefined mount +# point. +# - Sets up the OverlayFS based on the provided kernel parameters. If a +# persistent volume is specified, it's used as the upper layer for the +# OverlayFS; otherwise, a volatile overlay is created. +# - Mounts the OverlayFS on top of the root filesystem, merging the read-only +# root with the writable overlay, allowing system modifications without +# altering the base system. + +set -ex + +parse_cmdline_args() { + # Ensure that the 'dracut-lib' is present and loaded. + type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh + + VERITY_MOUNT="/mnt/verity_mnt_$$" + OVERLAY_MOUNT="/mnt/overlay_mnt_$$" + OVERLAY_MNT_OPTS="rw,nodev,nosuid,nouser,noexec" + + # Retrieve the verity root. It is expected to be predefined by the dracut cmdline module. + [ -z "$root" ] && root=$(getarg root=) + # Check if we're in a dm-verity environment and the root variable matches + # the expected path. The path "/dev/mapper/root" is hardcoded here because + # it is a fixed target name generated by systemd-veritysetup. The name of + # this dm-verity target is determined by systemd and cannot be changed, + # hence the explicit check against this specific path. + if [[ "$root" == *"/dev/mapper/root"* ]]; then + is_verity=true + else + is_verity=false + fi + + # Retrieve the OverlayFS parameters. + [ -z "${overlayfs}" ] && overlayfs=$(getarg rd.overlayfs=) + # Retrieve the persistent volume for the OverlayFS. + [ -z "${overlayfs_persistent_volume}" ] && overlayfs_persistent_volume=$(getarg rd.overlayfs_persistent_volume=) +} + +# Modified function to mount the physical partition +mount_physical_partition() { + mkdir -p "${OVERLAY_MOUNT}" + # Leverage the partition from cmdline + local partition="${overlayfs_persistent_volume}" + + if [ -z "${partition}" ]; then + # Fallback to volatile overlay if no persistent volume is specified + echo "No overlayfs persistent volume specified. Creating a volatile overlay." + mount -t tmpfs tmpfs -o ${OVERLAY_MNT_OPTS} "${OVERLAY_MOUNT}" || \ + die "Failed to create overlay tmpfs at ${OVERLAY_MOUNT}" + else + # Check if /etc/mdadm.conf exists. + if [ -f "/etc/mdadm.conf" ]; then + mdadm --assemble ${partition} || \ + die "Failed to assemble RAID volume." + fi + + # Mount the specified persistent volume + mount "${partition}" "${OVERLAY_MOUNT}" || \ + die "Failed to mount ${partition} at ${OVERLAY_MOUNT}" + fi +} + +create_overlay() { + local _dir=$1 + local _mounted_dir="${VERITY_MOUNT}/${_dir}" + local _upper=$2 + local _work=$3 + + [ -d "$_mounted_dir" ] || die "Unable to create overlay as $_dir does not exist" + + mkdir -p "${_upper}" && \ + mkdir -p "${_work}" && \ + mount -t overlay overlay -o ro,lowerdir="${_mounted_dir}",upperdir="${_upper}",workdir="${_work}" "${_mounted_dir}" || \ + die "Failed to mount overlay in ${_mounted_dir}" +} + +mount_root() { + if [ "$is_verity" = true ]; then + echo "Mounting DM-Verity Target" + mkdir -p "${VERITY_MOUNT}" + mount -o ro,defaults "/dev/mapper/root" "${VERITY_MOUNT}" || \ + die "Failed to mount dm-verity root target" + else + echo "Mounting regular root" + mkdir -p "${VERITY_MOUNT}" + mount -o ro,defaults "$root" "${VERITY_MOUNT}" || \ + die "Failed to mount root" + fi + + mount_physical_partition + + echo "Starting to create OverlayFS" + for _group in ${overlayfs}; do + IFS=',' read -r overlay upper work <<< "$_group" + echo "Creating OverlayFS with overlay: $overlay, upper: ${OVERLAY_MOUNT}/${upper}, work: ${OVERLAY_MOUNT}/${work}" + create_overlay "$overlay" "${OVERLAY_MOUNT}/${upper}" "${OVERLAY_MOUNT}/${work}" + done + + echo "Done Verity Root Mounting and OverlayFS Mounting" + # Re-mount the verity mount along with overlayfs to the sysroot. + mount --rbind "${VERITY_MOUNT}" "${NEWROOT}" +} + +parse_cmdline_args +mount_root diff --git a/SPECS/dracut/allow-liveos-overlay-no-user-confirmation-prompt.patch b/SPECS/dracut/allow-liveos-overlay-no-user-confirmation-prompt.patch new file mode 100644 index 00000000000..3378e665f0e --- /dev/null +++ b/SPECS/dracut/allow-liveos-overlay-no-user-confirmation-prompt.patch @@ -0,0 +1,49 @@ +From 4d47f0bae243577a4cf634ae5e01b324cf78e7eb Mon Sep 17 00:00:00 2001 +From: George Mileka +Date: Thu, 25 Jan 2024 15:06:13 -0800 +Subject: [PATCH] Update dracut to allow supressing user confirmation prompt + when the liveos overlay is backed by memory. + +Dracut allows the creation of a LiveOS using a read-only squashfs and an read-write overlay on top. + +If the read-write overlay is backed by a ram-disk, Dracut halts booting and prompts the user to confirm +whether to continue or not. + +This interaction during the boot process is not desired in all cases. + +This change introduces a new flag (rd.live.overlay.nouserconfirmprompt) that when defined, it supresses +the prompt and allows the boot process to continue to completion without user interation. + +There is no impact to existing configurations and their associated behavior. Only when the new switch +is explicitly define by the image build (as a kernel parameter), the new behavior will take effect. +--- + modules.d/90dmsquash-live/dmsquash-live-root.sh | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/modules.d/90dmsquash-live/dmsquash-live-root.sh b/modules.d/90dmsquash-live/dmsquash-live-root.sh +index 09128076..90d3e620 100755 +--- a/modules.d/90dmsquash-live/dmsquash-live-root.sh ++++ b/modules.d/90dmsquash-live/dmsquash-live-root.sh +@@ -25,6 +25,10 @@ squash_image=$(getarg rd.live.squashimg) + getargbool 0 rd.live.ram -d -y live_ram && live_ram="yes" + getargbool 0 rd.live.overlay.reset -d -y reset_overlay && reset_overlay="yes" + getargbool 0 rd.live.overlay.readonly -d -y readonly_overlay && readonly_overlay="--readonly" || readonly_overlay="" ++# 'nouserconfirmprompt' is used to suppress a blocking prompt that asks for a ++# user confirmation before proceeding during boot time. This is to provide a ++# path for the image builder to boot it without user interaction. ++getargbool 0 rd.live.overlay.nouserconfirmprompt -d -y overlay_no_user_confirm_prompt && overlay_no_user_confirm_prompt="--noprompt" || overlay_no_user_confirm_prompt="" + overlay=$(getarg rd.live.overlay -d overlay) + getargbool 0 rd.writable.fsimg -d -y writable_fsimg && writable_fsimg="yes" + overlay_size=$(getarg rd.live.overlay.size=) +@@ -185,7 +189,7 @@ do_live_overlay() { + fi + + if [ -z "$setup" -o -n "$readonly_overlay" ]; then +- if [ -n "$setup" ]; then ++ if [ -n "$setup" -o -n "$overlay_no_user_confirm_prompt" ]; then + warn "Using temporary overlay." + elif [ -n "$devspec" -a -n "$pathspec" ]; then + [ -z "$m" ] \ +-- +2.34.1 + diff --git a/SPECS/dracut/dracut.signatures.json b/SPECS/dracut/dracut.signatures.json index 7f5e2eafd20..2cca1f8ef3c 100644 --- a/SPECS/dracut/dracut.signatures.json +++ b/SPECS/dracut/dracut.signatures.json @@ -3,6 +3,8 @@ "dracut-055.tar.xz": "4baa08206cceeb124dbf1075a0daf774b5a8f144ce2e01d82a144af3020fd65b", "lgpl-2.1.txt": "dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551", "megaraid.conf": "914824cdbe0c525b71efa05a75e453335b0068beb8bc28bef2a5866d74bf7dd4", - "mkinitrd": "32a0e19de954a356a0f1903a1f75d3266493b55d71b0eeab6bd07b585e955dcf" + "mkinitrd": "32a0e19de954a356a0f1903a1f75d3266493b55d71b0eeab6bd07b585e955dcf", + "module-setup.sh": "330af5c105793fb37434730ce0ff59467a9cc60a81a5e32193dc53235e9744c1", + "overlayfs-mount.sh": "63552c4115b5c37ed04c5311367301483e2dfe1091dc5717b2bd22d9cdda044b" } } \ No newline at end of file diff --git a/SPECS/dracut/dracut.spec b/SPECS/dracut/dracut.spec index 9f30e3611a5..e2fd0a52f57 100644 --- a/SPECS/dracut/dracut.spec +++ b/SPECS/dracut/dracut.spec @@ -4,7 +4,7 @@ Summary: dracut to create initramfs Name: dracut Version: 055 -Release: 5%{?dist} +Release: 7%{?dist} # The entire source code is GPLv2+ # except install/* which is LGPLv2+ License: GPLv2+ AND LGPLv2+ @@ -16,9 +16,16 @@ Source0: http://www.kernel.org/pub/linux/utils/boot/dracut/%{name}-%{vers Source1: https://www.gnu.org/licenses/lgpl-2.1.txt Source2: mkinitrd Source3: megaraid.conf +Source4: 20overlayfs/module-setup.sh +Source5: 20overlayfs/overlayfs-mount.sh Patch0: disable-xattr.patch Patch1: fix-initrd-naming-for-mariner.patch Patch2: fix-functions-Avoid-calling-grep-with-PCRE-P.patch +# allow-liveos-overlay-no-user-confirmation-prompt.patch has been introduced by +# the Mariner team to allow skipping the user confirmation prompt during boot +# when the overlay of the liveos is backed by ram. This allows the machine to +# boot without being blocked on user input in such a scenario. +Patch3: allow-liveos-overlay-no-user-confirmation-prompt.patch BuildRequires: asciidoc BuildRequires: bash BuildRequires: git @@ -68,6 +75,13 @@ Requires: %{name} = %{version}-%{release} %description tools This package contains tools to assemble the local initrd and host configuration. +%package overlayfs +Summary: dracut module to build a dracut initramfs with OverlayFS support +Requires: %{name} = %{version}-%{release} + +%description overlayfs +This package contains dracut module needed to build an initramfs with OverlayFS support. + %prep %autosetup -p1 cp %{SOURCE1} . @@ -115,6 +129,10 @@ install -m 0755 %{SOURCE2} %{buildroot}%{_bindir}/mkinitrd install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/dracut.conf.d/50-megaraid.conf +mkdir -p %{buildroot}%{_libdir}/dracut/modules.d/20overlayfs/ +install -p -m 0755 %{SOURCE4} %{buildroot}%{_libdir}/dracut/modules.d/20overlayfs/ +install -p -m 0755 %{SOURCE5} %{buildroot}%{_libdir}/dracut/modules.d/20overlayfs/ + # create compat symlink mkdir -p %{buildroot}%{_sbindir} ln -sr %{buildroot}%{_bindir}/dracut %{buildroot}%{_sbindir}/dracut @@ -182,12 +200,22 @@ ln -sr %{buildroot}%{_bindir}/dracut %{buildroot}%{_sbindir}/dracut %files tools %defattr(-,root,root,0755) +%files overlayfs +%dir %{_libdir}/dracut/modules.d/20overlayfs +%{_libdir}/dracut/modules.d/20overlayfs/* + %{_bindir}/dracut-catimages %dir /boot/dracut %dir %{_sharedstatedir}/dracut %dir %{_sharedstatedir}/dracut/overlay %changelog +* Mon Jan 29 2024 Lanze Liu - 055-7 +- Add overlayfs sub-package. + +* Wed Jan 24 2024 George Mileka - 055-6 +- Add an option to supress user confirmation prompt for ram overlays. + * Thu Apr 27 2023 Daniel McIlvaney - 055-5 - Avoid using JIT'd perl in grep since it is blocked by SELinux. diff --git a/SPECS/elixir/elixir.spec b/SPECS/elixir/elixir.spec index 60fc285af94..760f0a19a32 100644 --- a/SPECS/elixir/elixir.spec +++ b/SPECS/elixir/elixir.spec @@ -2,7 +2,7 @@ Summary: elixir Name: elixir Version: 1.14.3 -Release: 1%{?dist} +Release: 2%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -39,6 +39,9 @@ export LANG="en_US.UTF-8" %changelog +* Wed Jan 17 2024 Harshit Gupta - 1.14.3-2 +- Release bump with no changes to force a rebuild and consume new erlang build + * Mon Feb 27 2023 Sam Meluch - 1.14.3-1 - Original version for CBL-Mariner - License verified diff --git a/SPECS/erlang/CVE-2023-48795.patch b/SPECS/erlang/CVE-2023-48795.patch new file mode 100644 index 00000000000..ce5dd02877c --- /dev/null +++ b/SPECS/erlang/CVE-2023-48795.patch @@ -0,0 +1,806 @@ +This patch file is based on the upstream patch for CVE-2023-48795. +https://github.com/erlang/otp/commit/ea595ed835e05653fd981e62ee3f60086a3c490c +The upstream patch was backported to work for the maintained pkg version 25.2 + +diff --git a/lib/ssh/src/ssh.hrl b/lib/ssh/src/ssh.hrl +index c6d1d9d..ada70ae 100644 +--- a/lib/ssh/src/ssh.hrl ++++ b/lib/ssh/src/ssh.hrl +@@ -443,6 +443,8 @@ + send_ext_info, %% May send ext-info to peer + recv_ext_info, %% Expect ext-info from peer + ++ kex_strict_negotiated = false, ++ + algorithms, %% #alg{} + + send_mac = none, %% send MAC algorithm +@@ -514,7 +516,8 @@ + c_lng, + s_lng, + send_ext_info, +- recv_ext_info ++ recv_ext_info, ++ kex_strict_negotiated = false + }). + + -record(ssh_pty, {c_version = "", % client version string, e.g "SSH-2.0-Erlang/4.10.5" +diff --git a/lib/ssh/src/ssh_connection_handler.erl b/lib/ssh/src/ssh_connection_handler.erl +index 10eb5e8..efd67f9 100644 +--- a/lib/ssh/src/ssh_connection_handler.erl ++++ b/lib/ssh/src/ssh_connection_handler.erl +@@ -701,6 +701,16 @@ handle_event(internal, #ssh_msg_disconnect{description=Desc} = Msg, StateName, D + disconnect_fun("Received disconnect: "++Desc, D), + {stop_and_reply, {shutdown,Desc}, Actions, D}; + ++handle_event(internal, #ssh_msg_ignore{}, {_StateName, _Role, init}, ++ #data{ssh_params = #ssh{kex_strict_negotiated = true, ++ send_sequence = SendSeq, ++ recv_sequence = RecvSeq}}) -> ++ ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED, ++ io_lib:format("strict KEX violation: unexpected SSH_MSG_IGNORE " ++ "send_sequence = ~p recv_sequence = ~p", ++ [SendSeq, RecvSeq]) ++ ); ++ + handle_event(internal, #ssh_msg_ignore{}, _StateName, _) -> + keep_state_and_data; + +diff --git a/lib/ssh/src/ssh_fsm_kexinit.erl b/lib/ssh/src/ssh_fsm_kexinit.erl +index 6ac4ec7..b5ae015 100644 +--- a/lib/ssh/src/ssh_fsm_kexinit.erl ++++ b/lib/ssh/src/ssh_fsm_kexinit.erl +@@ -58,7 +58,7 @@ callback_mode() -> + handle_event(internal, {#ssh_msg_kexinit{}=Kex, Payload}, {kexinit,Role,ReNeg}, + D = #data{key_exchange_init_msg = OwnKex}) -> + Ssh1 = ssh_transport:key_init(peer_role(Role), D#data.ssh_params, Payload), +- Ssh = case ssh_transport:handle_kexinit_msg(Kex, OwnKex, Ssh1) of ++ Ssh = case ssh_transport:handle_kexinit_msg(Kex, OwnKex, Ssh1, ReNeg) of + {ok, NextKexMsg, Ssh2} when Role==client -> + ssh_connection_handler:send_bytes(NextKexMsg, D), + Ssh2; +diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl +index 371eb19..19c508b 100644 +--- a/lib/ssh/src/ssh_transport.erl ++++ b/lib/ssh/src/ssh_transport.erl +@@ -42,7 +42,7 @@ + key_exchange_init_msg/1, + key_init/3, new_keys_message/1, + ext_info_message/1, +- handle_kexinit_msg/3, handle_kexdh_init/2, ++ handle_kexinit_msg/4, handle_kexdh_init/2, + handle_kex_dh_gex_group/2, handle_kex_dh_gex_init/2, handle_kex_dh_gex_reply/2, + handle_new_keys/2, handle_kex_dh_gex_request/2, + handle_kexdh_reply/2, +@@ -236,7 +236,6 @@ supported_algorithms(cipher) -> + same( + select_crypto_supported( + [ +- {'chacha20-poly1305@openssh.com', [{ciphers,chacha20}, {macs,poly1305}]}, + {'aes256-gcm@openssh.com', [{ciphers,aes_256_gcm}]}, + {'aes256-ctr', [{ciphers,aes_256_ctr}]}, + {'aes192-ctr', [{ciphers,aes_192_ctr}]}, +@@ -244,6 +243,7 @@ supported_algorithms(cipher) -> + {'aes128-ctr', [{ciphers,aes_128_ctr}]}, + {'AEAD_AES_256_GCM', [{ciphers,aes_256_gcm}]}, + {'AEAD_AES_128_GCM', [{ciphers,aes_128_gcm}]}, ++ {'chacha20-poly1305@openssh.com', [{ciphers,chacha20}, {macs,poly1305}]}, + {'aes256-cbc', [{ciphers,aes_256_cbc}]}, + {'aes192-cbc', [{ciphers,aes_192_cbc}]}, + {'aes128-cbc', [{ciphers,aes_128_cbc}]}, +@@ -359,7 +359,8 @@ kexinit_message(Role, Random, Algs, HostKeyAlgs, Opts) -> + #ssh_msg_kexinit{ + cookie = Random, + kex_algorithms = to_strings( get_algs(kex,Algs) ) +- ++ kex_ext_info(Role,Opts), ++ ++ kex_ext_info(Role,Opts) ++ ++ kex_strict_alg(Role), + server_host_key_algorithms = HostKeyAlgs, + encryption_algorithms_client_to_server = c2s(cipher,Algs), + encryption_algorithms_server_to_client = s2c(cipher,Algs), +@@ -388,10 +389,12 @@ new_keys_message(Ssh0) -> + + + handle_kexinit_msg(#ssh_msg_kexinit{} = CounterPart, #ssh_msg_kexinit{} = Own, +- #ssh{role = client} = Ssh) -> ++ #ssh{role = client} = Ssh, ReNeg) -> + try +- {ok, Algorithms} = select_algorithm(client, Own, CounterPart, Ssh#ssh.opts), ++ {ok, Algorithms} = ++ select_algorithm(client, Own, CounterPart, Ssh, ReNeg), + true = verify_algorithm(Algorithms), ++ true = verify_kexinit_is_first_msg(Algorithms, Ssh, ReNeg), + Algorithms + of + Algos -> +@@ -404,10 +407,12 @@ handle_kexinit_msg(#ssh_msg_kexinit{} = CounterPart, #ssh_msg_kexinit{} = Own, + end; + + handle_kexinit_msg(#ssh_msg_kexinit{} = CounterPart, #ssh_msg_kexinit{} = Own, +- #ssh{role = server} = Ssh) -> ++ #ssh{role = server} = Ssh, ReNeg) -> + try +- {ok, Algorithms} = select_algorithm(server, CounterPart, Own, Ssh#ssh.opts), ++ {ok, Algorithms} = ++ select_algorithm(server, CounterPart, Own, Ssh, ReNeg), + true = verify_algorithm(Algorithms), ++ true = verify_kexinit_is_first_msg(Algorithms, Ssh, ReNeg), + Algorithms + of + Algos -> +@@ -483,6 +488,21 @@ verify_algorithm(#alg{kex = Kex}) -> + false -> {false, "kex"} + end. + ++verify_kexinit_is_first_msg(#alg{kex_strict_negotiated = false}, _, _) -> ++ true; ++verify_kexinit_is_first_msg(#alg{kex_strict_negotiated = true}, _, renegotiate) -> ++ true; ++verify_kexinit_is_first_msg(#alg{kex_strict_negotiated = true}, ++ #ssh{send_sequence = 1, recv_sequence = 1}, ++ init) -> ++ true; ++verify_kexinit_is_first_msg(#alg{kex_strict_negotiated = true}, ++ #ssh{send_sequence = SendSequence, ++ recv_sequence = RecvSequence}, init) -> ++ error_logger:warning_report( ++ lists:concat(["KEX strict violation (", SendSequence, ", ", RecvSequence, ")."])), ++ {false, "kex_strict"}. ++ + %%%---------------------------------------------------------------- + %%% + %%% Key exchange initialization +@@ -862,6 +882,9 @@ handle_new_keys(#ssh_msg_newkeys{}, Ssh0) -> + ) + end. + ++%%%---------------------------------------------------------------- ++kex_strict_alg(client) -> [?kex_strict_c]; ++kex_strict_alg(server) -> [?kex_strict_s]. + + %%%---------------------------------------------------------------- + kex_ext_info(Role, Opts) -> +@@ -1052,7 +1075,35 @@ known_host_key(#ssh{opts = Opts, peer = {PeerName,{IP,Port}}} = Ssh, + %% + %% The first algorithm in each list MUST be the preferred (guessed) + %% algorithm. Each string MUST contain at least one algorithm name. +-select_algorithm(Role, Client, Server, Opts) -> ++select_algorithm(Role, Client, Server, ++ #ssh{opts = Opts, ++ kex_strict_negotiated = KexStrictNegotiated0}, ++ ReNeg) -> ++ KexStrictNegotiated = ++ case ReNeg of ++ %% KEX strict negotiated once per connection ++ init -> ++ Result = ++ case Role of ++ server -> ++ lists:member(?kex_strict_c, ++ Client#ssh_msg_kexinit.kex_algorithms); ++ client -> ++ lists:member(?kex_strict_s, ++ Server#ssh_msg_kexinit.kex_algorithms) ++ end, ++ case Result of ++ true -> ++ error_logger:info_report( ++ lists:concat([Role, " will use strict KEX ordering"])); ++ _ -> ++ ok ++ end, ++ Result; ++ _ -> ++ KexStrictNegotiated0 ++ end, ++ + {Encrypt0, Decrypt0} = select_encrypt_decrypt(Role, Client, Server), + {SendMac0, RecvMac0} = select_send_recv_mac(Role, Client, Server), + +@@ -1103,7 +1154,8 @@ select_algorithm(Role, Client, Server, Opts) -> + c_lng = C_Lng, + s_lng = S_Lng, + send_ext_info = SendExtInfo, +- recv_ext_info = RecvExtInfo ++ recv_ext_info = RecvExtInfo, ++ kex_strict_negotiated = KexStrictNegotiated + }}. + + +@@ -1201,7 +1253,8 @@ alg_setup(snd, SSH) -> + c_lng = ALG#alg.c_lng, + s_lng = ALG#alg.s_lng, + send_ext_info = ALG#alg.send_ext_info, +- recv_ext_info = ALG#alg.recv_ext_info ++ recv_ext_info = ALG#alg.recv_ext_info, ++ kex_strict_negotiated = ALG#alg.kex_strict_negotiated + }; + + alg_setup(rcv, SSH) -> +@@ -1213,22 +1266,23 @@ alg_setup(rcv, SSH) -> + c_lng = ALG#alg.c_lng, + s_lng = ALG#alg.s_lng, + send_ext_info = ALG#alg.send_ext_info, +- recv_ext_info = ALG#alg.recv_ext_info ++ recv_ext_info = ALG#alg.recv_ext_info, ++ kex_strict_negotiated = ALG#alg.kex_strict_negotiated + }. + +- +-alg_init(snd, SSH0) -> ++alg_init(Dir = snd, SSH0) -> + {ok,SSH1} = send_mac_init(SSH0), + {ok,SSH2} = encrypt_init(SSH1), + {ok,SSH3} = compress_init(SSH2), +- SSH3; ++ {ok,SSH4} = maybe_reset_sequence(Dir, SSH3), ++ SSH4; + +-alg_init(rcv, SSH0) -> ++alg_init(Dir = rcv, SSH0) -> + {ok,SSH1} = recv_mac_init(SSH0), + {ok,SSH2} = decrypt_init(SSH1), + {ok,SSH3} = decompress_init(SSH2), +- SSH3. +- ++ {ok,SSH4} = maybe_reset_sequence(Dir, SSH3), ++ SSH4. + + alg_final(snd, SSH0) -> + {ok,SSH1} = send_mac_final(SSH0), +@@ -2193,6 +2247,14 @@ crypto_name_supported(Tag, CryptoName, Supported) -> + + same(Algs) -> [{client2server,Algs}, {server2client,Algs}]. + ++maybe_reset_sequence(snd, Ssh = #ssh{kex_strict_negotiated = true}) -> ++ {ok, Ssh#ssh{send_sequence = 0}}; ++maybe_reset_sequence(rcv, Ssh = #ssh{kex_strict_negotiated = true}) -> ++ {ok, Ssh#ssh{recv_sequence = 0}}; ++maybe_reset_sequence(_Dir, Ssh) -> ++ {ok, Ssh}. ++ ++ + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %% + %% Other utils +@@ -2219,14 +2281,14 @@ ssh_dbg_flags(raw_messages) -> ssh_dbg_flags(hello); + ssh_dbg_flags(ssh_messages) -> ssh_dbg_flags(hello). + + +-ssh_dbg_on(alg) -> dbg:tpl(?MODULE,select_algorithm,4,x); ++ssh_dbg_on(alg) -> dbg:tpl(?MODULE,select_algorithm,5,x); + ssh_dbg_on(hello) -> dbg:tp(?MODULE,hello_version_msg,1,x), + dbg:tp(?MODULE,handle_hello_version,1,x); + ssh_dbg_on(raw_messages) -> ssh_dbg_on(hello); + ssh_dbg_on(ssh_messages) -> ssh_dbg_on(hello). + + +-ssh_dbg_off(alg) -> dbg:ctpl(?MODULE,select_algorithm,4); ++ssh_dbg_off(alg) -> dbg:ctpl(?MODULE,select_algorithm,5); + ssh_dbg_off(hello) -> dbg:ctpg(?MODULE,hello_version_msg,1), + dbg:ctpg(?MODULE,handle_hello_version,1); + ssh_dbg_off(raw_messages) -> ssh_dbg_off(hello); +@@ -2249,9 +2311,9 @@ ssh_dbg_format(hello, {call,{?MODULE,handle_hello_version,[Hello]}}) -> + ssh_dbg_format(hello, {return_from,{?MODULE,handle_hello_version,1},_Ret}) -> + skip; + +-ssh_dbg_format(alg, {call,{?MODULE,select_algorithm,[_,_,_,_]}}) -> ++ssh_dbg_format(alg, {call,{?MODULE,select_algorithm,[_,_,_,_,_]}}) -> + skip; +-ssh_dbg_format(alg, {return_from,{?MODULE,select_algorithm,4},{ok,Alg}}) -> ++ssh_dbg_format(alg, {return_from,{?MODULE,select_algorithm,5},{ok,Alg}}) -> + ["Negotiated algorithms:\n", + wr_record(Alg) + ]; +diff --git a/lib/ssh/src/ssh_transport.hrl b/lib/ssh/src/ssh_transport.hrl +index 009d85c..efe1d40 100644 +--- a/lib/ssh/src/ssh_transport.hrl ++++ b/lib/ssh/src/ssh_transport.hrl +@@ -266,5 +266,7 @@ + -define(dh_group18, + {2, 16#FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C93402849236C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BDF8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1BDB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AACC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E6DBE115974A3926F12FEE5E438777CB6A932DF8CD8BEC4D073B931BA3BC832B68D9DD300741FA7BF8AFC47ED2576F6936BA424663AAB639C5AE4F5683423B4742BF1C978238F16CBE39D652DE3FDB8BEFC848AD922222E04A4037C0713EB57A81A23F0C73473FC646CEA306B4BCBC8862F8385DDFA9D4B7FA2C087E879683303ED5BDD3A062B3CF5B3A278A66D2A13F83F44F82DDF310EE074AB6A364597E899A0255DC164F31CC50846851DF9AB48195DED7EA1B1D510BD7EE74D73FAF36BC31ECFA268359046F4EB879F924009438B481C6CD7889A002ED5EE382BC9190DA6FC026E479558E4475677E9AA9E3050E2765694DFC81F56E880B96E7160C980DD98EDD3DFFFFFFFFFFFFFFFFF}). + +- ++%%% OpenSSH KEX strict ++-define(kex_strict_c, "kex-strict-c-v00@openssh.com"). ++-define(kex_strict_s, "kex-strict-s-v00@openssh.com"). + -endif. % -ifdef(ssh_transport). +diff --git a/lib/ssh/test/ssh_protocol_SUITE.erl b/lib/ssh/test/ssh_protocol_SUITE.erl +index 666ac76..90f5b54 100644 +--- a/lib/ssh/test/ssh_protocol_SUITE.erl ++++ b/lib/ssh/test/ssh_protocol_SUITE.erl +@@ -53,6 +53,9 @@ + empty_service_name/1, + ext_info_c/1, + ext_info_s/1, ++ kex_strict_negotiated/1, ++ kex_strict_msg_ignore/1, ++ kex_strict_msg_unknown/1, + gex_client_init_option_groups/1, + gex_client_init_option_groups_file/1, + gex_client_init_option_groups_moduli_file/1, +@@ -136,8 +139,10 @@ groups() -> + gex_client_init_option_groups_moduli_file, + gex_client_init_option_groups_file, + gex_client_old_request_exact, +- gex_client_old_request_noexact +- ]}, ++ gex_client_old_request_noexact, ++ kex_strict_negotiated, ++ kex_strict_msg_ignore, ++ kex_strict_msg_unknown]}, + {service_requests, [], [bad_service_name, + bad_long_service_name, + bad_very_long_service_name, +@@ -164,17 +169,16 @@ groups() -> + + init_per_suite(Config) -> + ?CHECK_CRYPTO(start_std_daemon( setup_dirs( start_apps(Config)))). +- ++ + end_per_suite(Config) -> + stop_apps(Config). + +- +- + init_per_testcase(no_common_alg_server_disconnects, Config) -> + start_std_daemon(Config, [{preferred_algorithms,[{public_key,['ssh-rsa']}, + {cipher,?DEFAULT_CIPHERS} + ]}]); +- ++init_per_testcase(kex_strict_negotiated, Config) -> ++ Config; + init_per_testcase(TC, Config) when TC == gex_client_init_option_groups ; + TC == gex_client_init_option_groups_moduli_file ; + TC == gex_client_init_option_groups_file ; +@@ -217,6 +221,8 @@ init_per_testcase(_TestCase, Config) -> + + end_per_testcase(no_common_alg_server_disconnects, Config) -> + stop_std_daemon(Config); ++end_per_testcase(kex_strict_negotiated, Config) -> ++ Config; + end_per_testcase(TC, Config) when TC == gex_client_init_option_groups ; + TC == gex_client_init_option_groups_moduli_file ; + TC == gex_client_init_option_groups_file ; +@@ -818,6 +824,80 @@ ext_info_c(Config) -> + {result, Pid, Error} -> ct:fail("Error: ~p",[Error]) + end. + ++%%%-------------------------------------------------------------------- ++%%% ++kex_strict_negotiated(Config0) -> ++ {ok,Pid} = ssh_test_lib:add_report_handler(), ++ Config = start_std_daemon(Config0, []), ++ {Server, Host, Port} = proplists:get_value(server, Config), ++ #{level := Level} = logger:get_primary_config(), ++ logger:set_primary_config(level, notice), ++ {ok, ConnRef} = std_connect({Host, Port}, Config, []), ++ {algorithms, A} = ssh:connection_info(ConnRef, algorithms), ++ ssh:stop_daemon(Server), ++ {ok, Reports} = ssh_test_lib:get_reports(Pid), ++ ct:log("Reports = ~p", [Reports]), ++ true = ssh_test_lib:kex_strict_negotiated(client, Reports), ++ true = ssh_test_lib:kex_strict_negotiated(server, Reports), ++ logger:set_primary_config(Level), ++ ok. ++ ++%% Connect to an erlang server and inject unexpected SSH ignore ++kex_strict_msg_ignore(Config) -> ++ ct:log("START: ~p~n=================================", [?FUNCTION_NAME]), ++ ExpectedReason = "strict KEX violation: unexpected SSH_MSG_IGNORE", ++ TestMessages = ++ [{send, ssh_msg_ignore}, ++ {match, #ssh_msg_kexdh_reply{_='_'}, receive_msg}, ++ {match, disconnect(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED), receive_msg}], ++ kex_strict_helper(Config, TestMessages, ExpectedReason). ++ ++%% Connect to an erlang server and inject unexpected non-SSH binary ++kex_strict_msg_unknown(Config) -> ++ ct:log("START: ~p~n=================================", [?FUNCTION_NAME]), ++ ExpectedReason = "Bad packet: Size", ++ TestMessages = ++ [{send, ssh_msg_unknown}, ++ {match, #ssh_msg_kexdh_reply{_='_'}, receive_msg}, ++ {match, disconnect(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED), receive_msg}], ++ kex_strict_helper(Config, TestMessages, ExpectedReason). ++ ++kex_strict_helper(Config, TestMessages, ExpectedReason) -> ++ {ok,HandlerPid} = ssh_test_lib:add_report_handler(), ++ #{level := Level} = logger:get_primary_config(), ++ logger:set_primary_config(level, notice), ++ %% Connect and negotiate keys ++ {ok, InitialState} = ssh_trpt_test_lib:exec( ++ [{set_options, [print_ops, print_seqnums, print_messages]}] ++ ), ++ {ok, _AfterKexState} = ++ ssh_trpt_test_lib:exec( ++ [{connect, ++ server_host(Config),server_port(Config), ++ [{preferred_algorithms,[{kex,[?DEFAULT_KEX]}, ++ {cipher,?DEFAULT_CIPHERS} ++ ]}, ++ {silently_accept_hosts, true}, ++ {recv_ext_info, false}, ++ {user_dir, user_dir(Config)}, ++ {user_interaction, false} ++ | proplists:get_value(extra_options,Config,[]) ++ ]}, ++ receive_hello, ++ {send, hello}, ++ {send, ssh_msg_kexinit}, ++ {match, #ssh_msg_kexinit{_='_'}, receive_msg}, ++ {send, ssh_msg_kexdh_init}] ++ ++ TestMessages, ++ InitialState), ++ ct:sleep(100), ++ {ok, Reports} = ssh_test_lib:get_reports(HandlerPid), ++ ct:log("HandlerPid = ~p~nReports = ~p", [HandlerPid, Reports]), ++ true = ssh_test_lib:kex_strict_negotiated(client, Reports), ++ true = ssh_test_lib:kex_strict_negotiated(server, Reports), ++ true = ssh_test_lib:event_logged(server, Reports, ExpectedReason), ++ logger:set_primary_config(Level), ++ ok. + + %%%---------------------------------------------------------------- + %%% +@@ -839,7 +919,7 @@ modify_append(Config) -> + Ciphers = filter_supported(cipher, ?CIPHERS), + {ok,_} = + chk_pref_algs(Config, +- [?DEFAULT_KEX, ?EXTRA_KEX], ++ [?DEFAULT_KEX, ?EXTRA_KEX, list_to_atom(?kex_strict_s)], + Ciphers, + [{preferred_algorithms, [{kex,[?DEFAULT_KEX]}, + {cipher,Ciphers} +@@ -853,7 +933,7 @@ modify_prepend(Config) -> + Ciphers = filter_supported(cipher, ?CIPHERS), + {ok,_} = + chk_pref_algs(Config, +- [?EXTRA_KEX, ?DEFAULT_KEX], ++ [?EXTRA_KEX, ?DEFAULT_KEX, list_to_atom(?kex_strict_s)], + Ciphers, + [{preferred_algorithms, [{kex,[?DEFAULT_KEX]}, + {cipher,Ciphers} +@@ -867,7 +947,7 @@ modify_rm(Config) -> + Ciphers = filter_supported(cipher, ?CIPHERS), + {ok,_} = + chk_pref_algs(Config, +- [?DEFAULT_KEX], ++ [?DEFAULT_KEX, list_to_atom(?kex_strict_s)], + tl(Ciphers), + [{preferred_algorithms, [{kex,[?DEFAULT_KEX,?EXTRA_KEX]}, + {cipher,Ciphers} +@@ -886,7 +966,7 @@ modify_combo(Config) -> + LastC = lists:last(Ciphers), + {ok,_} = + chk_pref_algs(Config, +- [?DEFAULT_KEX], ++ [?DEFAULT_KEX, list_to_atom(?kex_strict_s)], + [LastC] ++ (tl(Ciphers)--[LastC]) ++ [hd(Ciphers)], + [{preferred_algorithms, [{kex,[?DEFAULT_KEX,?EXTRA_KEX]}, + {cipher,Ciphers} +diff --git a/lib/ssh/test/ssh_test_lib.erl b/lib/ssh/test/ssh_test_lib.erl +index 08c9638..a86a561 100644 +--- a/lib/ssh/test/ssh_test_lib.erl ++++ b/lib/ssh/test/ssh_test_lib.erl +@@ -121,7 +121,11 @@ setup_host_key_create_dir/3, + setup_host_key/3, + setup_known_host/3, + get_addr_str/0, +-file_base_name/2 ++file_base_name/2, ++add_report_handler/0, ++get_reports/1, ++kex_strict_negotiated/2, ++event_logged/3 + ]). + + -include_lib("common_test/include/ct.hrl"). +@@ -1267,3 +1271,49 @@ file_base_name(system_src, 'ecdsa-sha2-nistp521') -> "ssh_host_ecdsa_key521"; + file_base_name(system_src, Alg) -> file_base_name(system, Alg). + + %%%---------------------------------------------------------------- ++add_report_handler() -> ++ ssh_eqc_event_handler:add_report_handler(). ++ ++get_reports(Pid) -> ++ ssh_eqc_event_handler:get_reports(Pid). ++ ++-define(SEARCH_FUN(EXP), ++ begin ++ fun({info_report, _, {_, std_info, EXP}}) -> ++ true; ++ (_) -> ++ false ++ end ++ end). ++-define(SEARCH_SUFFIX, " will use strict KEX ordering"). ++ ++kex_strict_negotiated(client, Reports) -> ++ kex_strict_negotiated(?SEARCH_FUN("client" ++ ?SEARCH_SUFFIX), Reports); ++kex_strict_negotiated(server, Reports) -> ++ kex_strict_negotiated(?SEARCH_FUN("server" ++ ?SEARCH_SUFFIX), Reports); ++kex_strict_negotiated(SearchFun, Reports) when is_function(SearchFun) -> ++ case lists:search(SearchFun, Reports) of ++ {value, _} -> true; ++ _ -> false ++ end. ++ ++event_logged(Role, Reports, Reason) -> ++ SearchF = ++ fun({info_msg, _, {_, _Format, Args}}) -> ++ AnyF = fun (E) when is_list(E) -> ++ case string:find(E, Reason) of ++ nomatch -> false; ++ _ -> true ++ end; ++ (_) -> ++ false ++ end, ++ lists:member(Role, Args) andalso ++ lists:any(AnyF, Args); ++ (_) -> ++ false ++ end, ++ case lists:search(SearchF, Reports) of ++ {value, _} -> true; ++ _ -> false ++ end. +diff --git a/lib/ssh/test/ssh_to_openssh_SUITE.erl b/lib/ssh/test/ssh_to_openssh_SUITE.erl +index c61907e..a155307 100644 +--- a/lib/ssh/test/ssh_to_openssh_SUITE.erl ++++ b/lib/ssh/test/ssh_to_openssh_SUITE.erl +@@ -23,6 +23,7 @@ + + -include_lib("common_test/include/ct.hrl"). + -include("ssh_test_lib.hrl"). ++-include_lib("ssh/src/ssh_transport.hrl"). + + -export([ + suite/0, +@@ -38,7 +39,9 @@ + + -export([ + erlang_server_openssh_client_renegotiate/1, ++ eserver_oclient_kex_strict/1, + erlang_shell_client_openssh_server/1, ++ eclient_oserver_kex_strict/1, + exec_direct_with_io_in_sshc/1, + exec_with_io_in_sshc/1, + tunnel_in_erlclient_erlserver/1, +@@ -73,12 +76,14 @@ groups() -> + [{erlang_client, [], [tunnel_in_erlclient_erlserver, + tunnel_out_erlclient_erlserver, + {group, tunnel_distro_server}, +- erlang_shell_client_openssh_server ++ erlang_shell_client_openssh_server, ++ eclient_oserver_kex_strict + ]}, + {tunnel_distro_server, [], [tunnel_in_erlclient_openssh_server, + tunnel_out_erlclient_openssh_server]}, + {erlang_server, [], [{group, tunnel_distro_client}, + erlang_server_openssh_client_renegotiate, ++ eserver_oclient_kex_strict, + exec_with_io_in_sshc, + exec_direct_with_io_in_sshc + ] +@@ -87,16 +92,15 @@ groups() -> + tunnel_out_non_erlclient_erlserver]} + ]. + +-init_per_suite(Config) -> ++init_per_suite(Config0) -> + ?CHECK_CRYPTO( +- case gen_tcp:connect("localhost", ?SSH_DEFAULT_PORT, []) of ++ case gen_tcp:connect("localhost", ?SSH_DEFAULT_PORT, [{active, false}]) of + {error,econnrefused} -> + {skip,"No openssh daemon (econnrefused)"}; +- _ -> ++ {ok, Sock} -> + ssh_test_lib:openssh_sanity_check( +- [{ptty_supported, ssh_test_lib:ptty_supported()} +- | Config] +- ) ++ [{ptty_supported, ssh_test_lib:ptty_supported()}, ++ {kex_strict, check_kex_strict(Sock)}| Config0]) + end + ). + +@@ -142,6 +146,25 @@ end_per_testcase(_TestCase, _Config) -> + %% Test Cases -------------------------------------------------------- + %%-------------------------------------------------------------------- + erlang_shell_client_openssh_server(Config) when is_list(Config) -> ++ eclient_oserver_helper(Config). ++ ++eclient_oserver_kex_strict(Config) when is_list(Config)-> ++ case proplists:get_value(kex_strict, Config) of ++ true -> ++ {ok, HandlerPid} = ssh_test_lib:add_report_handler(), ++ #{level := Level} = logger:get_primary_config(), ++ logger:set_primary_config(level, notice), ++ Result = eclient_oserver_helper(Config), ++ {ok, Reports} = ssh_test_lib:get_reports(HandlerPid), ++ ct:pal("Reports = ~p", [Reports]), ++ true = ssh_test_lib:kex_strict_negotiated(client, Reports), ++ logger:set_primary_config(Level), ++ Result; ++ _ -> ++ {skip, "KEX strict not support by local OpenSSH"} ++ end. ++ ++eclient_oserver_helper(Config) -> + process_flag(trap_exit, true), + IO = ssh_test_lib:start_io_server(), + Prev = lists:usort(supervisor:which_children(sshc_sup)), +@@ -166,7 +189,6 @@ erlang_shell_client_openssh_server(Config) when is_list(Config) -> + false + end) + end. +- + %%-------------------------------------------------------------------- + %% Test that the server could redirect stdin and stdout from/to an + %% OpensSSH client when handling an exec request +@@ -231,6 +253,25 @@ exec_direct_with_io_in_sshc(Config) when is_list(Config) -> + %%-------------------------------------------------------------------- + %% Test that the Erlang/OTP server can renegotiate with openSSH + erlang_server_openssh_client_renegotiate(Config) -> ++ eserver_oclient_renegotiate_helper(Config). ++ ++eserver_oclient_kex_strict(Config) -> ++ case proplists:get_value(kex_strict, Config) of ++ true -> ++ {ok, HandlerPid} = ssh_test_lib:add_report_handler(), ++ #{level := Level} = logger:get_primary_config(), ++ logger:set_primary_config(level, notice), ++ Result = eserver_oclient_renegotiate_helper(Config), ++ {ok, Reports} = ssh_test_lib:get_reports(HandlerPid), ++ ct:log("Reports = ~p", [Reports]), ++ true = ssh_test_lib:kex_strict_negotiated(server, Reports), ++ logger:set_primary_config(Level), ++ Result; ++ _ -> ++ {skip, "KEX strict not support by local OpenSSH"} ++ end. ++ ++eserver_oclient_renegotiate_helper(Config) -> + _PubKeyAlg = ssh_rsa, + SystemDir = proplists:get_value(data_dir, Config), + PrivDir = proplists:get_value(priv_dir, Config), +@@ -255,9 +296,9 @@ erlang_server_openssh_client_renegotiate(Config) -> + + OpenSsh = ssh_test_lib:open_port({spawn, Cmd++" < "++DataFile}), + +- Expect = fun({data,R}) -> ++ Expect = fun({data,R}) -> + try +- NonAlphaChars = [C || C<-lists:seq(1,255), ++ NonAlphaChars = [C || C<-lists:seq(1,255), + not lists:member(C,lists:seq($a,$z)), + not lists:member(C,lists:seq($A,$Z)) + ], +@@ -275,15 +316,14 @@ erlang_server_openssh_client_renegotiate(Config) -> + (_) -> + false + end, +- +- try +- ssh_test_lib:rcv_expected(Expect, OpenSsh, ?TIMEOUT) ++ try ++ ssh_test_lib:rcv_expected(Expect, OpenSsh, ?TIMEOUT) + of +- _ -> +- %% Unfortunately we can't check that there has been a renegotiation, just trust OpenSSH. +- ssh:stop_daemon(Pid) ++ _ -> ++ %% Unfortunately we can't check that there has been a renegotiation, just trust OpenSSH. ++ ssh:stop_daemon(Pid) + catch +- throw:{skip,R} -> {skip,R} ++ throw:{skip,R} -> {skip,R} + end. + + %%-------------------------------------------------------------------- +@@ -569,3 +609,17 @@ no_forwarding(Config) -> + "---- The function no_forwarding() returns ~p", + [Cmnd,TheText, FailRegExp, Result]), + Result. ++ ++check_kex_strict(Sock) -> ++ %% Send some version, in order to receive KEXINIT from server ++ ok = gen_tcp:send(Sock, "SSH-2.0-OpenSSH_9.5\r\n"), ++ ct:sleep(100), ++ {ok, Packet} = gen_tcp:recv(Sock, 0), ++ case string:find(Packet, ?kex_strict_s) of ++ nomatch -> ++ ct:log("KEX strict NOT supported by local OpenSSH"), ++ false; ++ _ -> ++ ct:log("KEX strict supported by local OpenSSH"), ++ true ++ end. +diff --git a/lib/ssh/test/ssh_trpt_test_lib.erl b/lib/ssh/test/ssh_trpt_test_lib.erl +index 6d3f454..9a8800b 100644 +--- a/lib/ssh/test/ssh_trpt_test_lib.erl ++++ b/lib/ssh/test/ssh_trpt_test_lib.erl +@@ -73,7 +73,7 @@ exec(L, S) when is_list(L) -> lists:foldl(fun exec/2, S, L); + exec(Op, S0=#s{}) -> + S1 = init_op_traces(Op, S0), + try seqnum_trace( +- op(Op, S1)) ++ op(Op, S1), S1) + of + S = #s{} -> + case proplists:get_value(silent,S#s.opts) of +@@ -331,12 +331,20 @@ send(S0, ssh_msg_kexinit) -> + {Msg, _Bytes, _C0} = ssh_transport:key_exchange_init_msg(S0#s.ssh), + send(S0, Msg); + ++send(S0, ssh_msg_ignore) -> ++ Msg = #ssh_msg_ignore{data = "unexpected_ignore_message"}, ++ send(S0, Msg); ++ ++send(S0, ssh_msg_unknown) -> ++ Msg = binary:encode_hex(<<"0000000C060900000000000000000000">>), ++ send(S0, Msg); ++ + send(S0=#s{alg_neg={undefined,PeerMsg}}, Msg=#ssh_msg_kexinit{}) -> + S1 = opt(print_messages, S0, + fun(X) when X==true;X==detail -> {"Send~n~s~n",[format_msg(Msg)]} end), + S2 = case PeerMsg of + #ssh_msg_kexinit{} -> +- try ssh_transport:handle_kexinit_msg(PeerMsg, Msg, S1#s.ssh) of ++ try ssh_transport:handle_kexinit_msg(PeerMsg, Msg, S1#s.ssh, init) of + {ok,Cx} when ?role(S1) == server -> + S1#s{alg = Cx#ssh.algorithms}; + {ok,_NextKexMsgBin,Cx} when ?role(S1) == client -> +@@ -358,7 +366,7 @@ send(S0=#s{alg_neg={undefined,PeerMsg}}, Msg=#ssh_msg_kexinit{}) -> + send(S0, ssh_msg_kexdh_init) when ?role(S0) == client -> + {OwnMsg, PeerMsg} = S0#s.alg_neg, + {ok, NextKexMsgBin, C} = +- try ssh_transport:handle_kexinit_msg(PeerMsg, OwnMsg, S0#s.ssh) ++ try ssh_transport:handle_kexinit_msg(PeerMsg, OwnMsg, S0#s.ssh, init) + catch + Class:Exc -> + fail("Algorithm negotiation failed!", +@@ -441,7 +449,7 @@ recv(S0 = #s{}) -> + fail("2 kexint received!!", S); + + {OwnMsg, _} -> +- try ssh_transport:handle_kexinit_msg(PeerMsg, OwnMsg, S#s.ssh) of ++ try ssh_transport:handle_kexinit_msg(PeerMsg, OwnMsg, S#s.ssh, init) of + {ok,C} when ?role(S) == server -> + S#s{alg_neg = {OwnMsg, PeerMsg}, + alg = C#ssh.algorithms, +@@ -725,23 +733,23 @@ report_trace(Class, Term, S) -> + fun(true) -> {"~s ~p",[Class,Term]} end) + ). + +-seqnum_trace(S) -> ++seqnum_trace(S, S0) -> + opt(print_seqnums, S, +- fun(true) when S#s.ssh#ssh.send_sequence =/= S#s.ssh#ssh.send_sequence, +- S#s.ssh#ssh.recv_sequence =/= S#s.ssh#ssh.recv_sequence -> ++ fun(true) when S0#s.ssh#ssh.send_sequence =/= S#s.ssh#ssh.send_sequence, ++ S0#s.ssh#ssh.recv_sequence =/= S#s.ssh#ssh.recv_sequence -> + {"~p seq num: send ~p->~p, recv ~p->~p~n", + [?role(S), +- S#s.ssh#ssh.send_sequence, S#s.ssh#ssh.send_sequence, +- S#s.ssh#ssh.recv_sequence, S#s.ssh#ssh.recv_sequence ++ S0#s.ssh#ssh.send_sequence, S#s.ssh#ssh.send_sequence, ++ S0#s.ssh#ssh.recv_sequence, S#s.ssh#ssh.recv_sequence + ]}; +- (true) when S#s.ssh#ssh.send_sequence =/= S#s.ssh#ssh.send_sequence -> ++ (true) when S0#s.ssh#ssh.send_sequence =/= S#s.ssh#ssh.send_sequence -> + {"~p seq num: send ~p->~p~n", + [?role(S), +- S#s.ssh#ssh.send_sequence, S#s.ssh#ssh.send_sequence]}; +- (true) when S#s.ssh#ssh.recv_sequence =/= S#s.ssh#ssh.recv_sequence -> ++ S0#s.ssh#ssh.send_sequence, S#s.ssh#ssh.send_sequence]}; ++ (true) when S0#s.ssh#ssh.recv_sequence =/= S#s.ssh#ssh.recv_sequence -> + {"~p seq num: recv ~p->~p~n", + [?role(S), +- S#s.ssh#ssh.recv_sequence, S#s.ssh#ssh.recv_sequence]} ++ S0#s.ssh#ssh.recv_sequence, S#s.ssh#ssh.recv_sequence]} + end). + + print_traces(S) when S#s.prints == [] -> S; diff --git a/SPECS/erlang/erlang.spec b/SPECS/erlang/erlang.spec index 2fc2bae2144..d2b27928ab6 100644 --- a/SPECS/erlang/erlang.spec +++ b/SPECS/erlang/erlang.spec @@ -2,13 +2,14 @@ Summary: erlang Name: erlang Version: 25.2 -Release: 1%{?dist} +Release: 2%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Mariner Group: Development/Languages URL: https://erlang.org Source0: https://github.com/erlang/otp/archive/OTP-%{version}/otp-OTP-%{version}.tar.gz +Patch0: CVE-2023-48795.patch BuildRequires: ncurses-devel BuildRequires: openssl-devel BuildRequires: unixODBC-devel @@ -19,6 +20,7 @@ erlang programming language %prep %setup -q -n otp-OTP-%{version} +%patch0 -p1 %build export ERL_TOP=`pwd` @@ -46,6 +48,9 @@ make %{_libdir}/erlang/* %changelog +* Wed Jan 17 2024 Harshit Gupta - 25.2-2 +- Include patch to fix CVE-2023-48795 + * Tue Feb 14 2023 Sam Meluch - 25.2-1 - Update to version 25.2 diff --git a/SPECS/gcc/gcc.spec b/SPECS/gcc/gcc.spec index 88377268f1e..389f4a1b732 100644 --- a/SPECS/gcc/gcc.spec +++ b/SPECS/gcc/gcc.spec @@ -1,9 +1,62 @@ %global security_hardening nofortify %define _use_internal_dependency_generator 0 + +# Overriding the default to call 'configure' from subdirectories. +%global _configure ../configure + +# Set if we're building cross-compilation packages for a given host architecture. +%ifarch x86_64 + %global build_cross 1 +%else + %global build_cross 0 +%endif + +# Adds a list of excluded files related to cross-compilation. +# This macro is used only in the files list of the default 'gcc' package, +# so that it doesn't include the cross-compilation files meant to go to +# the 'gcc-' and 'gcc-c++-' subpackages (see: do_files() macro). +# +# Arguments: +# - %1: name of the cross-compilation target architecture. +# - %2: boolean indicating if we're building the cross-compilation bits for the current host architecture. +# See: "build_" macros for each host architecture listed above. +%global do_exclude() \ +%if %2 \ +%exclude %{_bindir}/%{1}* \ +%exclude %{_libdir}/gcc/%{1} \ +%exclude %{_libexecdir}/gcc/%{1} \ +%exclude %{_prefix}/%{1}/sys-root/ \ +%endif + +# Creates the files lists for the cross-compilation packages. +# +# Arguments: +# - %1: name of the cross-compilation target architecture. This appears in the package and file names. +# - %2: boolean indicating if we're building the cross-compilation bits for the current host architecture. +# See: "build_" macros for each host architecture listed above. +%global do_files() \ +%if %2 \ +%files -n gcc-%1 \ +%{_bindir}/%{1}*-cpp \ +%{_bindir}/%{1}*-gcc \ +%{_bindir}/%{1}*-gcc-ar \ +%{_bindir}/%{1}*-gcc-nm \ +%{_bindir}/%{1}*-gcc-ranlib \ +%{_bindir}/%{1}*-gcov* \ +%{_bindir}/%{1}*-lto-dump \ +%{_libdir}/gcc/%{1} \ +%{_libexecdir}/gcc/%{1} \ +%{_prefix}/%{1}/sys-root/ \ +\ +%files -n gcc-c++-%1 \ +%{_bindir}/%{1}*-c++ \ +%{_bindir}/%{1}*-g++ \ +%endif + Summary: Contains the GNU compiler collection Name: gcc Version: 11.2.0 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -11,6 +64,11 @@ Group: Development/Tools URL: https://gcc.gnu.org/ Source0: https://ftp.gnu.org/gnu/gcc/%{name}-%{version}/%{name}-%{version}.tar.xz Patch0: CVE-2023-4039.patch + +BuildRequires: gmp-devel +BuildRequires: mpfr-devel +BuildRequires: libmpc-devel + Requires: gcc-c++ = %{version}-%{release} Requires: gmp Requires: libgcc-atomic = %{version}-%{release} @@ -39,10 +97,35 @@ Provides: libubsan-static%{?_isa} = %{version}-%{release} Provides: libquadmath = %{version}-%{release} Provides: libquadmath-devel = %{version}-%{release} Provides: libquadmath-devel%{?_isa} = %{version}-%{release} -#%if %{with_check} -#BuildRequires: autogen -#BuildRequires: dejagnu -#%endif + +# Moving macro before the "SourceX" tags breaks PR checks parsing the specs. +%global do_package() \ +%if %2 \ +%package -n gcc-%1 \ +Summary: Cross-build binary utilities for %1 \ +Requires: cross-gcc-common == %{version}-%{release} \ +BuildRequires: binutils-%1 \ +Requires: binutils-%1 \ +Requires: gmp-devel \ +Requires: mpfr-devel \ +Requires: libmpc-devel \ +%description -n gcc-%1 \ +Cross-build GNU C compiler. \ +\ +Only building kernels is currently supported. Support for cross-building \ +user space programs is not currently provided as that would massively multiply \ +the number of packages. \ +\ +%package -n gcc-c++-%1 \ +Summary: Cross-build binary utilities for %1 \ +Requires: gcc-%1 == %{version}-%{release} \ +%description -n gcc-c++-%1 \ +Cross-build GNU C++ compiler. \ +\ +Only the compiler is provided; not libstdc++. Support for cross-building \ +user space programs is not currently provided as that would massively multiply \ +the number of packages. \ +%endif %description The GCC package contains the GNU compiler collection, @@ -136,12 +219,92 @@ Requires: libgomp = %{version}-%{release} An implementation of OpenMP for the C, C++, and Fortran 95 compilers in the GNU Compiler Collection. This package contains development headers and static library for libgomp +%if %{build_cross} +%package -n cross-gcc-common +Summary: Cross-build GNU C compiler documentation and translation files +BuildArch: noarch + +%description -n cross-gcc-common +Documentation, manual pages and translation files for cross-build GNU C +compiler. + +This is the common part of a set of cross-build GNU C compiler packages for +building kernels for other architectures. No support for cross-building +user space programs is currently supplied as that would massively multiply the +number of packages. +%endif + +%do_package aarch64-linux-gnu %{build_cross} + %prep %autosetup -p1 + +function prep_target () { + local target=$1 + local condition=$2 + + if [ $condition != 0 ] + then + echo $1 >> cross.list + fi +} + +touch cross.list +prep_target aarch64-linux-gnu %{build_cross} + # disable no-pie for gcc binaries sed -i '/^NO_PIE_CFLAGS = /s/@NO_PIE_CFLAGS@//' gcc/Makefile.in %build +function config_cross_target () { + local target=$1 + + mkdir $target + pushd $target + + CFLAGS_FOR_TARGET="-g -O2 -Wall -fexceptions" \ + AR_FOR_TARGET=%{_bindir}/$target-ar \ + AS_FOR_TARGET=%{_bindir}/$target-as \ + LD_FOR_TARGET=%{_bindir}/$target-ld \ + NM_FOR_TARGET=%{_bindir}/$target-nm \ + OBJDUMP_FOR_TARGET=%{_bindir}/$target-objdump \ + RANLIB_FOR_TARGET=%{_bindir}/$target-ranlib \ + READELF_FOR_TARGET=%{_bindir}/$target-readelf \ + STRIP_FOR_TARGET=%{_bindir}/$target-strip \ + SED=sed %configure \ + --disable-bootstrap \ + --disable-decimal-float \ + --disable-dependency-tracking \ + --disable-gold \ + --disable-libgcj \ + --disable-libgomp \ + --disable-libmpx \ + --disable-libquadmath \ + --disable-libssp \ + --disable-libunwind-exceptions \ + --disable-multilib \ + --disable-shared \ + --disable-silent-rules \ + --disable-sjlj-exceptions \ + --disable-threads \ + --enable-plugin \ + --enable-__cxa_atexit \ + --enable-clocale=gnu \ + --enable-default-pie \ + --enable-languages=c,c++ \ + --enable-linker-build-id \ + --enable-targets=all \ + --program-prefix=$target- \ + --target=$target \ + --with-ld=/usr/bin/$target-ld \ + --with-newlib \ + --with-sysroot=%{_prefix}/$target/sys-root \ + --with-system-zlib \ + --without-headers + + popd +} + CFLAGS="`echo " %{build_cflags} " | sed 's/-Werror=format-security/-Wno-error=format-security/'`" CXXFLAGS="`echo " %{build_cxxflags} " | sed 's/-Werror=format-security/-Wno-error=format-security/'`" FCFLAGS="`echo " %{build_fflags} " | sed 's/-Werror=format-security/-Wno-error=format-security/'`" @@ -149,22 +312,46 @@ export CFLAGS export CXXFLAGS export FCFLAGS +mkdir build +pushd build + SED=sed \ %configure \ - --enable-shared \ - --enable-threads=posix \ + --disable-bootstrap \ + --disable-multilib \ --enable-__cxa_atexit \ --enable-clocale=gnu \ + --enable-default-pie \ --enable-languages=c,c++,fortran \ - --disable-multilib \ - --disable-bootstrap \ --enable-linker-build-id \ --enable-plugin \ - --enable-default-pie \ + --enable-shared \ + --enable-threads=posix \ --with-system-zlib -make %{?_smp_mflags} + +popd + +make -C build %{?_smp_mflags} + +while read -r target +do + echo "=== BUILD cross-compilation target $target ===" + config_cross_target $target + AR_FOR_TARGET=%{_bindir}/$target-ar \ + AS_FOR_TARGET=%{_bindir}/$target-as \ + LD_FOR_TARGET=%{_bindir}/$target-ld \ + NM_FOR_TARGET=%{_bindir}/$target-nm \ + OBJDUMP_FOR_TARGET=%{_bindir}/$target-objdump \ + RANLIB_FOR_TARGET=%{_bindir}/$target-ranlib \ + READELF_FOR_TARGET=%{_bindir}/$target-readelf \ + STRIP_FOR_TARGET=%{_bindir}/$target-strip \ + make -C $target %{_smp_mflags} tooldir=%{_prefix} all-gcc + make -C $target %{_smp_mflags} tooldir=%{_prefix} all-target-libgcc +done < cross.list %install +pushd build + make %{?_smp_mflags} DESTDIR=%{buildroot} install install -vdm 755 %{buildroot}/%{_libdir} ln -sv %{_bindir}/cpp %{buildroot}/%{_libdir} @@ -174,14 +361,47 @@ mv -v %{buildroot}%{_lib64dir}/*gdb.py %{buildroot}%{_datarootdir}/gdb/auto-load chmod 755 %{buildroot}/%{_lib64dir}/libgcc_s.so.1 # Install libbacktrace-static components -mv %{_host}/libbacktrace/.libs/libbacktrace.a %{buildroot}%{_lib64dir} -mv libbacktrace/backtrace.h %{buildroot}%{_includedir} +cp %{_host}/libbacktrace/.libs/libbacktrace.a %{buildroot}%{_lib64dir} +cp ../libbacktrace/backtrace.h %{buildroot}%{_includedir} -rm -rf %{buildroot}%{_infodir} %find_lang %{name} --all-name +popd + +while read -r target +do + echo "=== INSTALL cross-compilation target $target ===" + + mkdir -p %{buildroot}%{_prefix}/$target/sys-root + make -C $target %{?_smp_mflags} DESTDIR=%{buildroot} install-gcc install-target-libgcc + rm -rf %{buildroot}%{_mandir}/man1/$target-* +done < cross.list + +rm -rf %{buildroot}%{_infodir} + +# Workaround for cross-compilation object files stripping issue. +# We skip stripping all object files for architectures different than %%{_target_platform}. +# See Fedora's bug: https://bugzilla.redhat.com/show_bug.cgi?id=1863378. +%global __ar_no_strip %{_builddir}/%{name}-%{version}/ar-no-strip +cat >%{__ar_no_strip} < - 11.2.0-8 +- Added cross-compilation support for aarch64. +- Used Fedora 36 spec (license: MIT) for guidance. + * Tue Sep 26 2023 Pawel Winogrodzki - 11.2.0-7 - Removing 'exit' calls from the '%%check' section. diff --git a/SPECS/helm/helm.signatures.json b/SPECS/helm/helm.signatures.json index cfd3bbb3444..d1d4a148e95 100644 --- a/SPECS/helm/helm.signatures.json +++ b/SPECS/helm/helm.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "helm-3.13.2-vendor.tar.gz": "0b832480c492ca47190d8ad36953e20447b4276f3f4fa7a1d3ec4aca4db1d036", - "helm-3.13.2.tar.gz": "f67a5af5a08d9aec06c46c6eade8e742d3bb9cc6df195fd825deb48df9eb9c0b" + "helm-3.14.0-vendor.tar.gz": "1118bf4d91fb175a66d523e419e820d06e6eda4d654e6d3b78e77cab5304c98f", + "helm-3.14.0.tar.gz": "8897a9cf1733b4fc96630bbd677a3c884209afc974b630ecd28061e2a4546ea6" } } \ No newline at end of file diff --git a/SPECS/helm/helm.spec b/SPECS/helm/helm.spec index 460f62e62b6..240e4627de7 100644 --- a/SPECS/helm/helm.spec +++ b/SPECS/helm/helm.spec @@ -1,7 +1,7 @@ %global debug_package %{nil} Name: helm -Version: 3.13.2 +Version: 3.14.0 Release: 1%{?dist} Summary: The Kubernetes Package Manager Group: Applications/Networking @@ -55,6 +55,9 @@ install -m 755 ./helm %{buildroot}%{_bindir} go test -v ./cmd/helm %changelog +* Fri Jan 19 2024 Muhammad Falak - 3.14.0-1 +- Bump version to address CVE-2023-44487 + * Thu Nov 30 2023 Sindhu Karri - 3.13.2-1 - Upgrade to 3.13.2 to fix CVE-2023-2253, CVE-2023-28840, CVE-2022-27664, CVE-2022-41721, CVE-2022-41723, CVE-2023-39325, CVE-2022-32149, GHSA-m425-mq94-257g, CVE-2022-23471, CVE-2023-25153, CVE-2023-25173, GHSA-6xv5-86q9-7xr8, CVE-2023-28841, CVE-2023-28842, GHSA-jq35-85cj-fj4p, CVE-2023-3978, CVE-2023-44487, CVE-2023-44487, CVE-2023-25165 - Remove dependency on golang version <= 1.18.8. Builds with latest golang version 1.20.10 diff --git a/SPECS-EXTENDED/hiera/fix-puppetlab-paths.patch b/SPECS/hiera/fix-puppetlab-paths.patch similarity index 100% rename from SPECS-EXTENDED/hiera/fix-puppetlab-paths.patch rename to SPECS/hiera/fix-puppetlab-paths.patch diff --git a/SPECS-EXTENDED/hiera/hiera.signatures.json b/SPECS/hiera/hiera.signatures.json similarity index 100% rename from SPECS-EXTENDED/hiera/hiera.signatures.json rename to SPECS/hiera/hiera.signatures.json diff --git a/SPECS-EXTENDED/hiera/hiera.spec b/SPECS/hiera/hiera.spec similarity index 96% rename from SPECS-EXTENDED/hiera/hiera.spec rename to SPECS/hiera/hiera.spec index 558d5d97540..1fd7a77b1bc 100644 --- a/SPECS-EXTENDED/hiera/hiera.spec +++ b/SPECS/hiera/hiera.spec @@ -1,7 +1,7 @@ Summary: A simple hierarchical database supporting plugin data sources Name: hiera Version: 3.7.0 -Release: 4%{?dist} +Release: 5%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -38,6 +38,7 @@ install -p -m0644 ext/hiera.yaml %{buildroot}%{_sysconfdir}/puppet mkdir -p %{buildroot}%{_sharedstatedir}/hiera %check +gem install rspec mocha json rspec -Ilib spec %files @@ -51,6 +52,10 @@ rspec -Ilib spec %config(noreplace) %{_sysconfdir}/puppet/hiera.yaml %changelog +* Thu Dec 21 2023 Sindhu Karri - 3.7.0-5 +- Promote package to Mariner Base repo +- Install rspec, mocha and json gems for running tests + * Thu Apr 21 2022 Pawel Winogrodzki - 3.7.0-4 - Spec clean-up. diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json index dc115b23b0b..6c7e28e715c 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json +++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json @@ -7,6 +7,6 @@ "hypervkvpd.service": "c1bb207cf9f388f8f3cf5b649abbf8cfe4c4fcf74538612946e68f350d1f265f", "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1", "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d", - "kernel-5.15.145.2.tar.gz": "5f09cdfe9d04b035d98d5aa5b22dd03e3cd6350ace51dab5c3ceea9283da7b0a" + "kernel-5.15.148.1.tar.gz": "e77c297fe3e3f0d9fd403c52f1e959389fa33e6642be9ddd12d4ea7f8927e5d6" } } diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec index c5ad7a1a7fa..15165480288 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.spec +++ b/SPECS/hyperv-daemons/hyperv-daemons.spec @@ -8,7 +8,7 @@ %global udev_prefix 70 Summary: Hyper-V daemons suite Name: hyperv-daemons -Version: 5.15.145.2 +Version: 5.15.148.1 Release: 1%{?dist} License: GPLv2+ Vendor: Microsoft Corporation @@ -219,6 +219,12 @@ fi %{_sbindir}/lsvmbus %changelog +* Tue Jan 30 2024 CBL-Mariner Servicing Account - 5.15.148.1-1 +- Auto-upgrade to 5.15.148.1 + +* Thu Jan 25 2024 CBL-Mariner Servicing Account - 5.15.147.1-1 +- Auto-upgrade to 5.15.147.1 + * Tue Jan 16 2024 Gary Swalling - 5.15.145.2-1 - Update to 5.15.145.2 diff --git a/SPECS/kata-containers-cc/kata-containers-cc.signatures.json b/SPECS/kata-containers-cc/kata-containers-cc.signatures.json index 33719d641e6..19e953e1141 100644 --- a/SPECS/kata-containers-cc/kata-containers-cc.signatures.json +++ b/SPECS/kata-containers-cc/kata-containers-cc.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { - "kata-containers-cc-0.6.2.tar.gz": "527a9e0064ba250e5355c03556ff60769a818aeec44481f77305d1fa115341b1", - "kata-containers-cc-0.6.2-cargo.tar.gz": "f43974d6f8305067d8dfd55edb3841fb8e7f1929405b9c4696b046b02c15bd76", - "mariner-coco-build-uvm.sh" :"2c1ef256c294c702ba2feab118644c81a2c6c85d0085fa8d205e3ce1a0b5c82d" + "mariner-coco-build-uvm.sh": "4f2be6965d8c4d7919fd201a68160fc8ab02a1be50a336abbfea13f16a6ffb89", + "kata-containers-cc-0.6.3-cargo.tar.gz": "7ff6c5f7f7aa31a99ea5d837876291d886b16c32f21b6d65d044fd398abff1e6", + "kata-containers-cc-0.6.3.tar.gz": "1f366ce70bf83a239a7ec99334506adb28c3199157b4370840c3685378a34268" } } diff --git a/SPECS/kata-containers-cc/kata-containers-cc.spec b/SPECS/kata-containers-cc/kata-containers-cc.spec index a7bb970a6f8..587cbb14ebe 100644 --- a/SPECS/kata-containers-cc/kata-containers-cc.spec +++ b/SPECS/kata-containers-cc/kata-containers-cc.spec @@ -1,15 +1,17 @@ -%global runtime_make_vars DEFSTATICRESOURCEMGMT=true \\\ +%global runtime_make_vars DEFMEMSZ=256 \\\ + DEFSHAREDFS_CLH_SNP_VIRTIOFS=none \\\ + DEFSTATICSANDBOXWORKLOADMEM=1792 \\\ SKIP_GO_VERSION_CHECK=1 %global agent_make_vars LIBC=gnu \\\ - SECURITY_POLICY=yes + AGENT_POLICY=yes %global debug_package %{nil} Name: kata-containers-cc -Version: 0.6.2 -Release: 2%{?dist} -Summary: Kata Confidential Containers +Version: 0.6.3 +Release: 3%{?dist} +Summary: Kata Confidential Containers package developed for Confidential Containers on AKS License: ASL 2.0 Vendor: Microsoft Corporation URL: https://github.com/microsoft/kata-containers @@ -17,7 +19,6 @@ Source0: https://github.com/microsoft/kata-containers/archive/refs/tags/cc- Source1: https://github.com/microsoft/kata-containers/archive/refs/tags/%{name}-%{version}.tar.gz Source2: %{name}-%{version}-cargo.tar.gz Source3: mariner-coco-build-uvm.sh -Patch0: keep-uvm-rootfs-dependencies.patch ExclusiveArch: x86_64 @@ -40,21 +41,21 @@ BuildRequires: fuse-devel # needed to build the tarfs module, see next comment - we currently build the tarfs module for both kernels BuildRequires: kernel-uvm-devel -BuildRequires: kernel-uvm-cvm-devel # kernel-uvm is required for allowing to test the kata-cc handler w/o SEV SNP but with the -# policy feature using kernel-uvm and the kata-cc shim/agent from this package with policy features +# policy feature using kernel-uvm and the kata-cc shim/agent from this package with policy and snapshotter features Requires: kernel-uvm -Requires: kernel-uvm-cvm Requires: moby-containerd-cc Requires: qemu-virtiofsd %description -Kata Confidential Containers. +The Kata Confidential Containers package ships the Kata components for Confidential Containers on AKS. +The package sources are based on a Microsoft fork of the kata-containers project and tailored to the use +for Mariner-based AKS node images. -# This subpackage is used to build the uvm and therefore has dependencies on the kernel-uvm(-cvm) binaries +# This subpackage is used to build the UVM and therefore has dependencies on the kernel-uvm(-cvm) binaries %package tools -Summary: Kata CC tools package for building UVM components +Summary: Kata Confidential Containers tools package for building the UVM Requires: cargo Requires: qemu-img Requires: parted @@ -62,10 +63,9 @@ Requires: curl Requires: veritysetup Requires: opa >= 0.50.2 Requires: kernel-uvm -Requires: kernel-uvm-cvm %description tools -This package contains the UVM osbuilder files +This package contains the the tooling and files required to build the UVM %prep %autosetup -p1 -n %{name}-%{version} @@ -105,34 +105,18 @@ cargo build --release popd # kernel modules -pushd /usr/src/linux-headers*cvm -header_dir=$(basename $PWD) -KERNEL_CVM_VER=${header_dir#"linux-headers-"} -KERNEL_CVM_MODULE_VER=${KERNEL_CVM_VER%%-*} -popd - -pushd /usr/src/$(ls /usr/src | grep linux-header | grep -v cvm) +pushd /usr/src/linux-headers* header_dir=$(basename $PWD) KERNEL_VER=${header_dir#"linux-headers-"} KERNEL_MODULE_VER=${KERNEL_VER%%-*} popd -# make a copy of the tarfs folder for cvm modules -mkdir -p %{_builddir}/%{name}-%{version}/src/tarfs-cvm -cp -aR %{_builddir}/%{name}-%{version}/src/tarfs/* %{_builddir}/%{name}-%{version}/src/tarfs-cvm/ - pushd %{_builddir}/%{name}-%{version}/src/tarfs make KDIR=/usr/src/linux-headers-${KERNEL_VER} make KDIR=/usr/src/linux-headers-${KERNEL_VER} install popd %global KERNEL_MODULES_DIR %{_builddir}/%{name}-%{version}/src/tarfs/_install/lib/modules/${KERNEL_MODULE_VER} -pushd %{_builddir}/%{name}-%{version}/src/tarfs-cvm -make KDIR=/usr/src/linux-headers-${KERNEL_CVM_VER} -make KDIR=/usr/src/linux-headers-${KERNEL_CVM_VER} install -popd -%global KERNEL_CVM_MODULES_DIR %{_builddir}/%{name}-%{version}/src/tarfs-cvm/_install/lib/modules/${KERNEL_CVM_MODULE_VER} - %install %define coco_path /opt/confidential-containers %define coco_bin %{coco_path}/bin @@ -148,7 +132,6 @@ mkdir -p %{buildroot}%{osbuilder}/ci # kernel modules cp -aR %{KERNEL_MODULES_DIR} %{buildroot}%{osbuilder} -cp -aR %{KERNEL_CVM_MODULES_DIR} %{buildroot}%{osbuilder} # osbuilder pushd %{_builddir}/%{name}-%{version} @@ -186,11 +169,12 @@ find %{buildroot}/etc # agent pushd %{_builddir}/%{name}-%{version}/src/agent -mkdir -p %{buildroot}%{osbuilder}/src/agent/samples/policy -cp -aR samples/policy/all-allowed %{buildroot}%{osbuilder}/src/agent/samples/policy +mkdir -p %{buildroot}%{osbuilder}/src/kata-opa +cp -a %{_builddir}/%{name}-%{version}/src/kata-opa/allow-all.rego %{buildroot}%{osbuilder}/src/kata-opa/ +cp -a %{_builddir}/%{name}-%{version}/src/kata-opa/allow-set-policy.rego %{buildroot}%{osbuilder}/src/kata-opa/ +cp -a %{_builddir}/%{name}-%{version}/src/kata-opa/kata-opa.service.in %{buildroot}%{osbuilder}/src/kata-opa/ install -D -m 0755 kata-containers.target %{buildroot}%{osbuilder}/kata-containers.target install -D -m 0755 kata-agent.service.in %{buildroot}%{osbuilder}/kata-agent.service.in -install -D -m 0755 coco-opa.service %{buildroot}%{osbuilder}/coco-opa.service install -D -m 0755 target/x86_64-unknown-linux-gnu/release/kata-agent %{buildroot}%{osbuilder}/kata-agent popd @@ -263,13 +247,14 @@ install -D -m 0755 %{_builddir}/%{name}-%{version}/tools/osbuilder/image-builder %doc README.md %files tools -%dir %{osbuilder}/src/agent/samples/policy/all-allowed -%{osbuilder}/src/agent/samples/policy/all-allowed/all-allowed.rego +%dir %{osbuilder}/src/kata-opa +%{osbuilder}/src/kata-opa/allow-all.rego +%{osbuilder}/src/kata-opa/allow-set-policy.rego +%{osbuilder}/src/kata-opa/kata-opa.service.in %{osbuilder}/mariner-coco-build-uvm.sh %{osbuilder}/kata-containers.target %{osbuilder}/kata-agent.service.in -%{osbuilder}/coco-opa.service %{osbuilder}/kata-agent %{osbuilder}/ci/install_yq.sh @@ -290,6 +275,17 @@ install -D -m 0755 %{_builddir}/%{name}-%{version}/tools/osbuilder/image-builder %exclude %{osbuilder}/tools/osbuilder/rootfs-builder/ubuntu %changelog +* Tue Jan 30 2024 Archana Choudhary - 0.6.3-3 +- Remove kernel-uvm-cvm(-devel) dependency +- Remove kernel-uvm-cvm modules/sources/files +- Remove instructions to build kernel-uvm-cvm related binaries + +* Tue Jan 24 2024 Manuel Huber - 0.6.3-2 +- Enforce a restrictive security policy + +* Mon Jan 08 2024 Dallas Delaney - 0.6.3-1 +- Upgrade to version 0.6.3 + * Tue Dec 05 2023 Archana Choudhary - 0.6.2-2 - Add qemu-virtiofsd as a requirement @@ -319,7 +315,7 @@ install -D -m 0755 %{_builddir}/%{name}-%{version}/tools/osbuilder/image-builder * Mon Aug 07 2023 CBL-Mariner Servicing Account - 0.6.0-2 - Bump release to rebuild with go 1.19.12 -* Tue Jul 11 2023 Dallas Delaney 0.6.0-1 +* Tue Jul 13 2023 Dallas Delaney 0.6.0-1 - Upgrade to version 0.6.0 * Thu Jul 13 2023 CBL-Mariner Servicing Account - 0.4.2-2 diff --git a/SPECS/kata-containers-cc/keep-uvm-rootfs-dependencies.patch b/SPECS/kata-containers-cc/keep-uvm-rootfs-dependencies.patch deleted file mode 100644 index bb3f08779d8..00000000000 --- a/SPECS/kata-containers-cc/keep-uvm-rootfs-dependencies.patch +++ /dev/null @@ -1,24 +0,0 @@ -From e2ef156d481aacc24f20695c0ec65c81e4f85c17 Mon Sep 17 00:00:00 2001 -From: dallasd1 -Date: Thu, 2 Nov 2023 19:58:26 -0700 -Subject: [PATCH] Keep zstd-libs in UVM rootfs - ---- - tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh b/tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh -index 0988f08f6..359a1c4d9 100644 ---- a/tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh -+++ b/tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh -@@ -78,7 +78,6 @@ build_rootfs() - "tar" \ - "tzdata" \ - "xz" \ -- "zstd-libs" \ - ) - - for MARINER_REMOVED_PACKAGE in ${MARINER_REMOVED_PACKAGES[@]} --- -2.17.1 - diff --git a/SPECS/kata-containers-cc/mariner-coco-build-uvm.sh b/SPECS/kata-containers-cc/mariner-coco-build-uvm.sh index 3d4e9ddc66c..7899e5c416b 100755 --- a/SPECS/kata-containers-cc/mariner-coco-build-uvm.sh +++ b/SPECS/kata-containers-cc/mariner-coco-build-uvm.sh @@ -15,26 +15,27 @@ export AGENT_SOURCE_BIN=${SCRIPT_DIR}/kata-agent pushd ${OSBUILDER_DIR} sudo make clean rm -rf ${ROOTFS_DIR} -sudo -E PATH=$PATH SECURITY_POLICY=yes make -B DISTRO=cbl-mariner rootfs +sudo -E PATH=$PATH AGENT_POLICY=yes CONF_GUEST=yes AGENT_POLICY_FILE=allow-set-policy.rego make -B DISTRO=cbl-mariner rootfs popd -# include both kernel-uvm and kernel-uvm-cvm modules in rootfs -# TODO once kernel-uvm and kernel-uvm-cvm are re-aligned: -# - remove this code -# - define and export a KERNEL_MODULE_DIR variable above make rootfs -# - this will cause the make rootfs command to copy the modules and call dempod -# - the current version of rootfs.sh does not support adding multiple module folder for different kernel versions MODULE_ROOTFS_DEST_DIR="${ROOTFS_DIR}/lib/modules" mkdir -p ${MODULE_ROOTFS_DEST_DIR} -for d in modules/*; -do - MODULE_DIR_NAME=$(basename $d) - cp -a "modules/${MODULE_DIR_NAME}" "${MODULE_ROOTFS_DEST_DIR}/" - depmod -a -b "${ROOTFS_DIR}" ${MODULE_DIR_NAME} -done - -# install other services -cp ${SCRIPT_DIR}/coco-opa.service ${ROOTFS_DIR}/usr/lib/systemd/system/coco-opa.service + +pushd modules/* +# get kernel modules version +export KERNEL_MODULES_VER=$(basename $PWD) +export KERNEL_MODULES_DIR=${SCRIPT_DIR}/modules/${KERNEL_MODULES_VER} +# copy kernel modules to rootfs +cp -a ${KERNEL_MODULES_DIR} "${MODULE_ROOTFS_DEST_DIR}/" +# run depmod +depmod -a -b ${ROOTFS_DIR} ${KERNEL_MODULES_VER} +popd + +# Install other services. +# +# This is needed because we don't use `make install-services` (which installs +# the service files on the host by default), therefore the rootfs builder can't +# symlink the services from the host into the rootfs. cp ${SCRIPT_DIR}/kata-containers.target ${ROOTFS_DIR}/usr/lib/systemd/system/kata-containers.target cp ${SCRIPT_DIR}/kata-agent.service.in ${ROOTFS_DIR}/usr/lib/systemd/system/kata-agent.service sed -i 's/@BINDIR@\/@AGENT_NAME@/\/usr\/bin\/kata-agent/g' ${ROOTFS_DIR}/usr/lib/systemd/system/kata-agent.service @@ -42,5 +43,5 @@ sed -i 's/@BINDIR@\/@AGENT_NAME@/\/usr\/bin\/kata-agent/g' ${ROOTFS_DIR}/usr/li # build image pushd ${OSBUILDER_DIR} mv rootfs-builder/rootfs-cbl-mariner cbl-mariner_rootfs -sudo -E PATH=$PATH make DISTRO=cbl-mariner KATA_BUILD_CC=yes DM_VERITY_FORMAT=kernelinit image +sudo -E PATH=$PATH make DISTRO=cbl-mariner MEASURED_ROOTFS=yes DM_VERITY_FORMAT=kernelinit image popd diff --git a/SPECS/keda/CVE-2022-21698.patch b/SPECS/keda/CVE-2022-21698.patch new file mode 100644 index 00000000000..bf397c0781a --- /dev/null +++ b/SPECS/keda/CVE-2022-21698.patch @@ -0,0 +1,40 @@ +From db46a9783a98b9efa3cf3444264e44464e35e7af Mon Sep 17 00:00:00 2001 +From: Tobias Brick +Date: Tue, 30 Jan 2024 20:29:03 +0000 +Subject: [PATCH] update client_golang from 1.11.0 to 1.11.1 to fix + CVE-2022-21698 + +--- + go.mod | 2 +- + go.sum | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/go.mod b/go.mod +index aac6e22..cfbde07 100644 +--- a/go.mod ++++ b/go.mod +@@ -34,7 +34,7 @@ require ( + github.com/onsi/ginkgo v1.16.4 + github.com/onsi/gomega v1.14.0 + github.com/pkg/errors v0.9.1 +- github.com/prometheus/client_golang v1.11.0 ++ github.com/prometheus/client_golang v1.11.1 + github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 + github.com/robfig/cron/v3 v3.0.1 + github.com/streadway/amqp v1.0.0 +diff --git a/go.sum b/go.sum +index 234016c..957b3ec 100644 +--- a/go.sum ++++ b/go.sum +@@ -836,6 +836,8 @@ github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP + github.com/prometheus/client_golang v1.9.0/go.mod h1:FqZLKOZnGdFAhOK4nqGHa7D66IdsO+O441Eve7ptJDU= + github.com/prometheus/client_golang v1.11.0 h1:HNkLOAEQMIDv/K+04rukrLx6ch7msSRwf3/SASFAGtQ= + github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= ++github.com/prometheus/client_golang v1.11.1 h1:+4eQaD7vAZ6DsfsxB15hbE0odUjGI5ARs9yskGu1v4s= ++github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= + github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= + github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= + github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +-- +2.33.8 + diff --git a/SPECS/keda/keda.signatures.json b/SPECS/keda/keda.signatures.json index 324c9651932..a559142bbf1 100644 --- a/SPECS/keda/keda.signatures.json +++ b/SPECS/keda/keda.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "keda-2.4.0-vendor.tar.gz": "bf5f2e19aac2c178a868aa1b1245b11d5ed4a51b0713d1f41154987f062f986e", + "keda-2.4.0-vendor-v2.tar.gz": "3a67ec9a94dd9a714aef2899c83b18c8a2ac64ca30efc27b5ffd3fba9ae3fbb4", "keda-2.4.0.tar.gz": "e3a44a7be2d80369fb490898fb3f5605170a2848c8f30c6c24eb68fb57cfd3e0" } } \ No newline at end of file diff --git a/SPECS/keda/keda.spec b/SPECS/keda/keda.spec index b79c45ff4b0..0e5e35bcf28 100644 --- a/SPECS/keda/keda.spec +++ b/SPECS/keda/keda.spec @@ -1,7 +1,7 @@ Summary: Kubernetes-based Event Driven Autoscaling Name: keda Version: 2.4.0 -Release: 15%{?dist} +Release: 16%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -10,18 +10,25 @@ URL: https://github.com/kedacore/keda Source0: %{name}-%{version}.tar.gz # Below is a manually created tarball, no download link. # We're using pre-populated Go modules from this tarball, since network is disabled during build time. -# How to re-build this file: +# A couple of notes: +# A: The -v2 suffix just increases as we make more vendored tarballs. +# B: Make sure to apply the appropriate patches before creating the tarball. +# +# How to re-build this file. # 1. wget https://github.com/kedacore/%%{name}/archive/refs/tags/v%%{version}.tar.gz -O %%{name}-%%{version}.tar.gz # 2. tar -xf %%{name}-%%{version}.tar.gz # 3. cd %%{name}-%%{version} -# 4. go mod vendor -# 5. tar --sort=name \ -# --mtime="2021-04-26 00:00Z" \ +# 4. Apply appropriate patches +# 5. go mod vendor +# 6. tar --sort=name \ # --owner=0 --group=0 --numeric-owner \ # --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ -# -cf %%{name}-%%{version}-vendor.tar.gz vendor +# -cf %%{name}-%%{version}-vendor-v2.tar.gz vendor # -Source1: %{name}-%{version}-vendor.tar.gz +Source1: %{name}-%{version}-vendor-v2.tar.gz +# Patches the version of client_golang used in the vendored source. Should be applied before creating the vendored tarball. +# Can be removed if we upgrade keda to 2.6.0 or later. +Patch0: CVE-2022-21698.patch BuildRequires: golang >= 1.15 %description @@ -29,11 +36,11 @@ KEDA is a Kubernetes-based Event Driven Autoscaling component. It provides event driven scale for any container running in Kubernetes %prep -%setup -q - -%build +%autosetup -p1 # create vendor folder from the vendor tarball and set vendor mode tar -xf %{SOURCE1} --no-same-owner + +%build export LDFLAGS="-X=github.com/kedacore/keda/v2/version.GitCommit= -X=github.com/kedacore/keda/v2/version.Version=main" go build -ldflags "$LDFLAGS" -mod=vendor -v -o bin/keda main.go @@ -55,6 +62,11 @@ cp ./bin/keda-adapter %{buildroot}%{_bindir} %{_bindir}/%{name}-adapter %changelog +* Tue Jan 01 2024 Tobias Brick - 2.4.0-16 +- Patch CVE-2022-21698 +- Update vendored tarball +- Move tarball expansion to %prep + * Mon Oct 16 2023 CBL-Mariner Servicing Account - 2.4.0-15 - Bump release to rebuild with go 1.20.9 diff --git a/SPECS/kernel-azure/config b/SPECS/kernel-azure/config index 3622804e96a..53fb0b095ab 100644 --- a/SPECS/kernel-azure/config +++ b/SPECS/kernel-azure/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.145.2 Kernel Configuration +# Linux/x86_64 5.15.148.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-azure/config_aarch64 b/SPECS/kernel-azure/config_aarch64 index cdc140c6cc0..9c765514f08 100644 --- a/SPECS/kernel-azure/config_aarch64 +++ b/SPECS/kernel-azure/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.15.145.2 Kernel Configuration +# Linux/arm64 5.15.148.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y @@ -5128,8 +5128,6 @@ CONFIG_AMLOGIC_THERMAL=y CONFIG_BCM_SR_THERMAL=y # end of Broadcom thermal drivers -# CONFIG_TI_SOC_THERMAL is not set - # # NVIDIA Tegra thermal drivers # @@ -7392,10 +7390,8 @@ CONFIG_MMC_BCM2835=m CONFIG_MMC_MTK=m CONFIG_MMC_SDHCI_BRCMSTB=m CONFIG_MMC_SDHCI_XENON=m -CONFIG_MMC_SDHCI_OMAP=m CONFIG_MMC_SDHCI_AM654=m # CONFIG_MMC_OWL is not set -CONFIG_MMC_SDHCI_EXTERNAL_DMA=y CONFIG_MEMSTICK=m # CONFIG_MEMSTICK_DEBUG is not set diff --git a/SPECS/kernel-azure/kernel-azure.signatures.json b/SPECS/kernel-azure/kernel-azure.signatures.json index 2bfe3d82c55..fb8d7ddccfd 100644 --- a/SPECS/kernel-azure/kernel-azure.signatures.json +++ b/SPECS/kernel-azure/kernel-azure.signatures.json @@ -1,9 +1,9 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "70924bb071b2388d23d1cb3ee7a2e6eb4fda483d1264fa365a200a5cba341006", - "config_aarch64": "6d5e3bb21860d075aac8756076f85e0935a24455fd615084dddfa429ac822883", + "config": "f018f5a46e75d71fea20d42831f306159b1a3b4297a32c697398ebe915ba6055", + "config_aarch64": "c68fbd5b74a295a1fe2d4e27418129b6e7b276bd00fb92f9defc1174f18604a2", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-5.15.145.2.tar.gz": "5f09cdfe9d04b035d98d5aa5b22dd03e3cd6350ace51dab5c3ceea9283da7b0a" + "kernel-5.15.148.1.tar.gz": "e77c297fe3e3f0d9fd403c52f1e959389fa33e6642be9ddd12d4ea7f8927e5d6" } } diff --git a/SPECS/kernel-azure/kernel-azure.spec b/SPECS/kernel-azure/kernel-azure.spec index c3b7209480e..7c80ea44ef2 100644 --- a/SPECS/kernel-azure/kernel-azure.spec +++ b/SPECS/kernel-azure/kernel-azure.spec @@ -27,7 +27,7 @@ Summary: Linux Kernel Name: kernel-azure -Version: 5.15.145.2 +Version: 5.15.148.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -420,6 +420,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Tue Jan 30 2024 CBL-Mariner Servicing Account - 5.15.148.1-1 +- Auto-upgrade to 5.15.148.1 + +* Thu Jan 25 2024 CBL-Mariner Servicing Account - 5.15.147.1-1 +- Auto-upgrade to 5.15.147.1 + * Tue Jan 16 2024 Gary Swalling - 5.15.145.2-1 - Update to 5.15.145.2 diff --git a/SPECS/kernel-hci/0028-net-mlx5-Bridge-use-debug-not-warn-if-entry-not-found.patch b/SPECS/kernel-hci/0028-net-mlx5-Bridge-Use-debug-instead-of-warn-if-entry-d.patch similarity index 80% rename from SPECS/kernel-hci/0028-net-mlx5-Bridge-use-debug-not-warn-if-entry-not-found.patch rename to SPECS/kernel-hci/0028-net-mlx5-Bridge-Use-debug-instead-of-warn-if-entry-d.patch index 7bf4f2d9096..536c1ee7bb8 100644 --- a/SPECS/kernel-hci/0028-net-mlx5-Bridge-use-debug-not-warn-if-entry-not-found.patch +++ b/SPECS/kernel-hci/0028-net-mlx5-Bridge-Use-debug-instead-of-warn-if-entry-d.patch @@ -1,13 +1,17 @@ -From: Roi Dayan +From ea645f97bcec90a818dc6915d84cd0f752d9ccfd Mon Sep 17 00:00:00 2001 +From: Roi Dayan +Date: Thu, 27 Oct 2022 11:35:12 +0300 +Subject: [PATCH] net/mlx5: Bridge, Use debug instead of warn if entry doesn't + exists There is no need for the warn if entry already removed. Use debug print like in the update flow. Also update the messages so user can identify if the it's from the update flow or remove flow. -Signed-off-by: Roi Dayan -Reviewed-by: Vlad Buslov -Signed-off-by: Saeed Mahameed +Signed-off-by: Roi Dayan +Reviewed-by: Vlad Buslov +Signed-off-by: Saeed Mahameed --- drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) @@ -39,4 +43,4 @@ index 4fbff7bcc155..b176648d1343 100644 } -- -2.38.1 +2.31.1 diff --git a/SPECS/kernel-hci/0029-Revert-net-mlx5-DR-Fix-uninitialized-var-warning.patch b/SPECS/kernel-hci/0029-Revert-net-mlx5-DR-Fix-uninitialized-var-warning.patch new file mode 100644 index 00000000000..d724d88b1bc --- /dev/null +++ b/SPECS/kernel-hci/0029-Revert-net-mlx5-DR-Fix-uninitialized-var-warning.patch @@ -0,0 +1,36 @@ +From 29c8c7db946e9e7f38f0f9f7dca39aa30aeac74b Mon Sep 17 00:00:00 2001 +From: Amir Tzin +Date: Tue, 11 Jul 2023 20:06:11 +0300 +Subject: [PATCH] Revert "net/mlx5: DR, Fix uninitialized var warning" + +This reverts commit 34feea3bfb37e09b20b9891ad72a815ac7895bd8. +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c +index 0c7b57bf01d0..4c40178e7d1e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c +@@ -9,7 +9,7 @@ int mlx5dr_table_set_miss_action(struct mlx5dr_table *tbl, + struct mlx5dr_matcher *last_matcher = NULL; + struct mlx5dr_htbl_connect_info info; + struct mlx5dr_ste_htbl *last_htbl; +- int ret = -EOPNOTSUPP; ++ int ret; + + if (action && action->action_type != DR_ACTION_TYP_FT) + return -EOPNOTSUPP; +@@ -68,9 +68,6 @@ int mlx5dr_table_set_miss_action(struct mlx5dr_table *tbl, + } + } + +- if (ret) +- goto out; +- + /* Release old action */ + if (tbl->miss_action) + refcount_dec(&tbl->miss_action->refcount); +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0030-net-mlx5-DR-Fix-code-indentation-in-dr_ste_v1.patch b/SPECS/kernel-hci/0030-net-mlx5-DR-Fix-code-indentation-in-dr_ste_v1.patch new file mode 100644 index 00000000000..80c2b41420a --- /dev/null +++ b/SPECS/kernel-hci/0030-net-mlx5-DR-Fix-code-indentation-in-dr_ste_v1.patch @@ -0,0 +1,28 @@ +From c228dce2622253aa9a7407b150230b6e1e28ab6e Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Mon, 2 Aug 2021 00:12:31 +0300 +Subject: [PATCH] net/mlx5: DR, Fix code indentation in dr_ste_v1 + +Reported-by: kernel test robot +Signed-off-by: Yevgeny Kliteynik +Signed-off-by: Saeed Mahameed +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c +index b2481c99da79..33e6299026f7 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c +@@ -1791,7 +1791,7 @@ static int dr_ste_v1_build_src_gvmi_qpn_tag(struct mlx5dr_match_param *value, + else + return -EINVAL; + +- misc->source_eswitch_owner_vhca_id = 0; ++ misc->source_eswitch_owner_vhca_id = 0; + } else { + caps = &dmn->info.caps; + } +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0031-net-mlx5-DR-Fix-vport-number-data-type-to-u16.patch b/SPECS/kernel-hci/0031-net-mlx5-DR-Fix-vport-number-data-type-to-u16.patch new file mode 100644 index 00000000000..d8a320cf82b --- /dev/null +++ b/SPECS/kernel-hci/0031-net-mlx5-DR-Fix-vport-number-data-type-to-u16.patch @@ -0,0 +1,144 @@ +From f9f93bd55ca6b41eb4c297748e0014147921c295 Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Thu, 12 Aug 2021 03:15:11 +0300 +Subject: [PATCH 70/78] net/mlx5: DR, Fix vport number data type to u16 + +According to the HW spec, vport number is a 16-bit value. +Fix vport usage all over the code to u16 data type. + +Signed-off-by: Yevgeny Kliteynik +Reviewed-by: Muhammad Sammar +Signed-off-by: Saeed Mahameed +--- + .../ethernet/mellanox/mlx5/core/steering/dr_action.c | 2 +- + .../net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c | 4 ++-- + .../ethernet/mellanox/mlx5/core/steering/dr_domain.c | 2 +- + .../net/ethernet/mellanox/mlx5/core/steering/dr_fw.c | 2 +- + .../ethernet/mellanox/mlx5/core/steering/dr_types.h | 10 +++++----- + .../net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h | 2 +- + 6 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +index a5b9f65db23c..032b4a2546d3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +@@ -1747,7 +1747,7 @@ mlx5dr_action_create_modify_header(struct mlx5dr_domain *dmn, + + struct mlx5dr_action * + mlx5dr_action_create_dest_vport(struct mlx5dr_domain *dmn, +- u32 vport, u8 vhca_id_valid, ++ u16 vport, u8 vhca_id_valid, + u16 vhca_id) + { + struct mlx5dr_cmd_vport_cap *vport_cap; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c +index 56307283bf9b..0f69321b3269 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c +@@ -272,7 +272,7 @@ int mlx5dr_cmd_set_fte_modify_and_vport(struct mlx5_core_dev *mdev, + u32 table_id, + u32 group_id, + u32 modify_header_id, +- u32 vport_id) ++ u16 vport) + { + u32 out[MLX5_ST_SZ_DW(set_fte_out)] = {}; + void *in_flow_context; +@@ -303,7 +303,7 @@ int mlx5dr_cmd_set_fte_modify_and_vport(struct mlx5_core_dev *mdev, + in_dests = MLX5_ADDR_OF(flow_context, in_flow_context, destination); + MLX5_SET(dest_format_struct, in_dests, destination_type, + MLX5_FLOW_DESTINATION_TYPE_VPORT); +- MLX5_SET(dest_format_struct, in_dests, destination_id, vport_id); ++ MLX5_SET(dest_format_struct, in_dests, destination_id, vport); + + err = mlx5_cmd_exec(mdev, in, inlen, out, sizeof(out)); + kvfree(in); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +index 0fe159809ba1..ca299d480579 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +@@ -38,7 +38,7 @@ static void dr_domain_uninit_cache(struct mlx5dr_domain *dmn) + } + + int mlx5dr_domain_cache_get_recalc_cs_ft_addr(struct mlx5dr_domain *dmn, +- u32 vport_num, ++ u16 vport_num, + u64 *rx_icm_addr) + { + struct mlx5dr_fw_recalc_cs_ft *recalc_cs_ft; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_fw.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_fw.c +index 0d6f86eb248b..68a4c32d5f34 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_fw.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_fw.c +@@ -5,7 +5,7 @@ + #include "dr_types.h" + + struct mlx5dr_fw_recalc_cs_ft * +-mlx5dr_fw_create_recalc_cs_ft(struct mlx5dr_domain *dmn, u32 vport_num) ++mlx5dr_fw_create_recalc_cs_ft(struct mlx5dr_domain *dmn, u16 vport_num) + { + struct mlx5dr_cmd_create_flow_table_attr ft_attr = {}; + struct mlx5dr_fw_recalc_cs_ft *recalc_cs_ft; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +index b20e8aabb861..441c03e645db 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +@@ -752,9 +752,9 @@ struct mlx5dr_esw_caps { + struct mlx5dr_cmd_vport_cap { + u16 vport_gvmi; + u16 vhca_gvmi; ++ u16 num; + u64 icm_address_rx; + u64 icm_address_tx; +- u32 num; + }; + + struct mlx5dr_roce_cap { +@@ -1103,7 +1103,7 @@ mlx5dr_ste_htbl_may_grow(struct mlx5dr_ste_htbl *htbl) + } + + static inline struct mlx5dr_cmd_vport_cap * +-mlx5dr_get_vport_cap(struct mlx5dr_cmd_caps *caps, u32 vport) ++mlx5dr_get_vport_cap(struct mlx5dr_cmd_caps *caps, u16 vport) + { + if (!caps->vports_caps || + (vport >= caps->num_vports && vport != WIRE_PORT)) +@@ -1154,7 +1154,7 @@ int mlx5dr_cmd_set_fte_modify_and_vport(struct mlx5_core_dev *mdev, + u32 table_id, + u32 group_id, + u32 modify_header_id, +- u32 vport_id); ++ u16 vport_id); + int mlx5dr_cmd_del_flow_table_entry(struct mlx5_core_dev *mdev, + u32 table_type, + u32 table_id); +@@ -1372,11 +1372,11 @@ struct mlx5dr_fw_recalc_cs_ft { + }; + + struct mlx5dr_fw_recalc_cs_ft * +-mlx5dr_fw_create_recalc_cs_ft(struct mlx5dr_domain *dmn, u32 vport_num); ++mlx5dr_fw_create_recalc_cs_ft(struct mlx5dr_domain *dmn, u16 vport_num); + void mlx5dr_fw_destroy_recalc_cs_ft(struct mlx5dr_domain *dmn, + struct mlx5dr_fw_recalc_cs_ft *recalc_cs_ft); + int mlx5dr_domain_cache_get_recalc_cs_ft_addr(struct mlx5dr_domain *dmn, +- u32 vport_num, ++ u16 vport_num, + u64 *rx_icm_addr); + int mlx5dr_fw_create_md_tbl(struct mlx5dr_domain *dmn, + struct mlx5dr_cmd_flow_destination_hw_info *dest, +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h +index c5a8b1601999..c7c93131b762 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h +@@ -89,7 +89,7 @@ mlx5dr_action_create_dest_flow_fw_table(struct mlx5dr_domain *domain, + + struct mlx5dr_action * + mlx5dr_action_create_dest_vport(struct mlx5dr_domain *domain, +- u32 vport, u8 vhca_id_valid, ++ u16 vport, u8 vhca_id_valid, + u16 vhca_id); + + struct mlx5dr_action * +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0032-net-mlx5-DR-Replace-local-WIRE_PORT-macro-with-the-e.patch b/SPECS/kernel-hci/0032-net-mlx5-DR-Replace-local-WIRE_PORT-macro-with-the-e.patch new file mode 100644 index 00000000000..e692b0d82dc --- /dev/null +++ b/SPECS/kernel-hci/0032-net-mlx5-DR-Replace-local-WIRE_PORT-macro-with-the-e.patch @@ -0,0 +1,98 @@ +From 7ae8ac9a582088c85154970982766617c9ebf8dc Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Thu, 23 Sep 2021 02:23:23 +0300 +Subject: [PATCH 71/78] net/mlx5: DR, Replace local WIRE_PORT macro with the + existing MLX5_VPORT_UPLINK + +SW steering defines its own macro for uplink vport number. +Replace this macro with an already existing mlx5 macro. + +Signed-off-by: Yevgeny Kliteynik +Signed-off-by: Saeed Mahameed +--- + .../net/ethernet/mellanox/mlx5/core/steering/dr_action.c | 2 +- + .../net/ethernet/mellanox/mlx5/core/steering/dr_domain.c | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c | 4 ++-- + .../net/ethernet/mellanox/mlx5/core/steering/dr_types.h | 7 +++---- + 4 files changed, 7 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +index 032b4a2546d3..8ca8fb804798 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +@@ -669,7 +669,7 @@ int mlx5dr_actions_build_ste_arr(struct mlx5dr_matcher *matcher, + attr.hit_gvmi = action->vport->caps->vhca_gvmi; + dest_action = action; + if (rx_rule) { +- if (action->vport->caps->num == WIRE_PORT) { ++ if (action->vport->caps->num == MLX5_VPORT_UPLINK) { + mlx5dr_dbg(dmn, "Device doesn't support Loopback on WIRE vport\n"); + return -EOPNOTSUPP; + } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +index ca299d480579..73646322c7bc 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +@@ -170,7 +170,7 @@ static int dr_domain_query_vports(struct mlx5dr_domain *dmn) + + /* Last vport is the wire port */ + wire_vport = &dmn->info.caps.vports_caps[vport]; +- wire_vport->num = WIRE_PORT; ++ wire_vport->num = MLX5_VPORT_UPLINK; + wire_vport->icm_address_rx = esw_caps->uplink_icm_address_rx; + wire_vport->icm_address_tx = esw_caps->uplink_icm_address_tx; + wire_vport->vport_gvmi = 0; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c +index aca80efc28fa..323ea138ad99 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c +@@ -1042,10 +1042,10 @@ static bool dr_rule_skip(enum mlx5dr_domain_type domain, + return false; + + if (mask->misc.source_port) { +- if (rx && value->misc.source_port != WIRE_PORT) ++ if (rx && value->misc.source_port != MLX5_VPORT_UPLINK) + return true; + +- if (!rx && value->misc.source_port == WIRE_PORT) ++ if (!rx && value->misc.source_port == MLX5_VPORT_UPLINK) + return true; + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +index 441c03e645db..8e171a6d3a9d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +@@ -4,7 +4,7 @@ + #ifndef _DR_TYPES_ + #define _DR_TYPES_ + +-#include ++#include + #include + #include "fs_core.h" + #include "wq.h" +@@ -14,7 +14,6 @@ + + #define DR_RULE_MAX_STES 18 + #define DR_ACTION_MAX_STES 5 +-#define WIRE_PORT 0xFFFF + #define DR_STE_SVLAN 0x1 + #define DR_STE_CVLAN 0x2 + #define DR_SZ_MATCH_PARAM (MLX5_ST_SZ_DW_MATCH_PARAM * 4) +@@ -1106,10 +1105,10 @@ static inline struct mlx5dr_cmd_vport_cap * + mlx5dr_get_vport_cap(struct mlx5dr_cmd_caps *caps, u16 vport) + { + if (!caps->vports_caps || +- (vport >= caps->num_vports && vport != WIRE_PORT)) ++ (vport >= caps->num_vports && vport != MLX5_VPORT_UPLINK)) + return NULL; + +- if (vport == WIRE_PORT) ++ if (vport == MLX5_VPORT_UPLINK) + vport = caps->num_vports; + + return &caps->vports_caps[vport]; +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0033-net-mlx5-DR-Add-missing-query-for-vport-0.patch b/SPECS/kernel-hci/0033-net-mlx5-DR-Add-missing-query-for-vport-0.patch new file mode 100644 index 00000000000..a02531d8980 --- /dev/null +++ b/SPECS/kernel-hci/0033-net-mlx5-DR-Add-missing-query-for-vport-0.patch @@ -0,0 +1,160 @@ +From dd4acb2a0954a6ac9941f0dc3a690b49565c9ec3 Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Tue, 10 Aug 2021 22:34:58 +0300 +Subject: [PATCH 72/78] net/mlx5: DR, Add missing query for vport 0 + +Currently, vport 0 capabilities are not set. +To fix this, we now querying both eswitch manager and vport 0. +Eswitch manager has an access to all the vports - for eswitch manager PF, all +vports can be referred as other vports. The exception is embedded CPU mode, +where there is vport 0 of ECPF and the PF vport 0. + +Here is how vport are queried: + +For Connect-X5/6: + PF vport (0) and vports 1..n: vport number, other = true + esw_manager is vport 0 (PF) +For BlueField (in embedded CPU mode): + ECPF vport: vport = 0, other = false + PF vport (0) and 1..n: vport number, other = true + esw_manager = vport 0 (ECPF) + +Also, note that there's no need for other_vport function parameter +in dr_domain_query_vport - this value is now deduced locally in the +function. + +Signed-off-by: Yuval Avnery +Signed-off-by: Yevgeny Kliteynik +Reviewed-by: Muhammad Sammar +Signed-off-by: Saeed Mahameed +--- + .../mellanox/mlx5/core/steering/dr_cmd.c | 2 + + .../mellanox/mlx5/core/steering/dr_domain.c | 37 +++++++++++++------ + .../mellanox/mlx5/core/steering/dr_types.h | 5 +++ + 3 files changed, 32 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c +index 0f69321b3269..1d8febed0d76 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c +@@ -195,6 +195,8 @@ int mlx5dr_cmd_query_device(struct mlx5_core_dev *mdev, + + caps->roce_min_src_udp = MLX5_CAP_ROCE(mdev, r_roce_min_src_udp_port); + ++ caps->is_ecpf = mlx5_core_is_ecpf_esw_manager(mdev); ++ + return 0; + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +index 73646322c7bc..b61c5a8ba305 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +@@ -125,17 +125,21 @@ static void dr_domain_uninit_resources(struct mlx5dr_domain *dmn) + } + + static int dr_domain_query_vport(struct mlx5dr_domain *dmn, +- bool other_vport, +- u16 vport_number) ++ u16 vport_number, ++ struct mlx5dr_cmd_vport_cap *vport_caps) + { +- struct mlx5dr_cmd_vport_cap *vport_caps; ++ u16 cmd_vport = vport_number; ++ bool other_vport = true; + int ret; + +- vport_caps = &dmn->info.caps.vports_caps[vport_number]; ++ if (dmn->info.caps.is_ecpf && vport_number == MLX5_VPORT_ECPF) { ++ other_vport = false; ++ cmd_vport = 0; ++ } + + ret = mlx5dr_cmd_query_esw_vport_context(dmn->mdev, + other_vport, +- vport_number, ++ cmd_vport, + &vport_caps->icm_address_rx, + &vport_caps->icm_address_tx); + if (ret) +@@ -143,7 +147,7 @@ static int dr_domain_query_vport(struct mlx5dr_domain *dmn, + + ret = mlx5dr_cmd_query_gvmi(dmn->mdev, + other_vport, +- vport_number, ++ cmd_vport, + &vport_caps->vport_gvmi); + if (ret) + return ret; +@@ -154,6 +158,13 @@ static int dr_domain_query_vport(struct mlx5dr_domain *dmn, + return 0; + } + ++static int dr_domain_query_esw_mngr(struct mlx5dr_domain *dmn) ++{ ++ return dr_domain_query_vport(dmn, ++ dmn->info.caps.is_ecpf ? MLX5_VPORT_ECPF : 0, ++ &dmn->info.caps.esw_manager_vport_caps); ++} ++ + static int dr_domain_query_vports(struct mlx5dr_domain *dmn) + { + struct mlx5dr_esw_caps *esw_caps = &dmn->info.caps.esw_caps; +@@ -161,9 +172,15 @@ static int dr_domain_query_vports(struct mlx5dr_domain *dmn) + int vport; + int ret; + ++ ret = dr_domain_query_esw_mngr(dmn); ++ if (ret) ++ return ret; ++ + /* Query vports (except wire vport) */ + for (vport = 0; vport < dmn->info.caps.num_esw_ports - 1; vport++) { +- ret = dr_domain_query_vport(dmn, !!vport, vport); ++ ret = dr_domain_query_vport(dmn, ++ vport, ++ &dmn->info.caps.vports_caps[vport]); + if (ret) + return ret; + } +@@ -267,11 +284,7 @@ static int dr_domain_caps_init(struct mlx5_core_dev *mdev, + + dmn->info.rx.type = DR_DOMAIN_NIC_TYPE_RX; + dmn->info.tx.type = DR_DOMAIN_NIC_TYPE_TX; +- vport_cap = mlx5dr_get_vport_cap(&dmn->info.caps, 0); +- if (!vport_cap) { +- mlx5dr_err(dmn, "Failed to get esw manager vport\n"); +- return -ENOENT; +- } ++ vport_cap = &dmn->info.caps.esw_manager_vport_caps; + + dmn->info.supp_sw_steering = true; + dmn->info.tx.default_icm_addr = vport_cap->icm_address_tx; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +index 8e171a6d3a9d..4bf8156f0a87 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +@@ -797,8 +797,10 @@ struct mlx5dr_cmd_caps { + u32 num_vports; + struct mlx5dr_esw_caps esw_caps; + struct mlx5dr_cmd_vport_cap *vports_caps; ++ struct mlx5dr_cmd_vport_cap esw_manager_vport_caps; + bool prio_tag_required; + struct mlx5dr_roce_cap roce_caps; ++ u8 is_ecpf:1; + u8 isolate_vl_tc:1; + }; + +@@ -1104,6 +1106,9 @@ mlx5dr_ste_htbl_may_grow(struct mlx5dr_ste_htbl *htbl) + static inline struct mlx5dr_cmd_vport_cap * + mlx5dr_get_vport_cap(struct mlx5dr_cmd_caps *caps, u16 vport) + { ++ if (caps->is_ecpf && vport == MLX5_VPORT_ECPF) ++ return &caps->esw_manager_vport_caps; ++ + if (!caps->vports_caps || + (vport >= caps->num_vports && vport != MLX5_VPORT_UPLINK)) + return NULL; +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0034-net-mlx5-DR-Align-error-messages-for-failure-to-obta.patch b/SPECS/kernel-hci/0034-net-mlx5-DR-Align-error-messages-for-failure-to-obta.patch new file mode 100644 index 00000000000..ef3f4ed25a3 --- /dev/null +++ b/SPECS/kernel-hci/0034-net-mlx5-DR-Align-error-messages-for-failure-to-obta.patch @@ -0,0 +1,48 @@ +From ee1887fb7cdd1b516ec94f71df41c4cc862836cd Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Tue, 17 Aug 2021 11:16:39 +0300 +Subject: [PATCH 73/78] net/mlx5: DR, Align error messages for failure to + obtain vport caps + +Print similar error messages when an invalid vport number is +provided during action creation and during STEv0/1 creation. + +Signed-off-by: Yevgeny Kliteynik +Reviewed-by: Muhammad Sammar +Signed-off-by: Saeed Mahameed +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c | 4 +++- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c | 2 +- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +index 8ca8fb804798..d09e99afc171 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +@@ -1769,7 +1769,9 @@ mlx5dr_action_create_dest_vport(struct mlx5dr_domain *dmn, + + vport_cap = mlx5dr_get_vport_cap(&vport_dmn->info.caps, vport); + if (!vport_cap) { +- mlx5dr_dbg(dmn, "Failed to get vport %d caps\n", vport); ++ mlx5dr_err(dmn, ++ "Failed to get vport 0x%x caps - vport is disabled or invalid\n", ++ vport); + return NULL; + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c +index 9c704bce3c12..507719322af8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c +@@ -1670,7 +1670,7 @@ dr_ste_v0_build_src_gvmi_qpn_tag(struct mlx5dr_match_param *value, + if (source_gvmi_set) { + vport_cap = mlx5dr_get_vport_cap(caps, misc->source_port); + if (!vport_cap) { +- mlx5dr_err(dmn, "Vport 0x%x is invalid\n", ++ mlx5dr_err(dmn, "Vport 0x%x is disabled or invalid\n", + misc->source_port); + return -EINVAL; + } +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0035-net-mlx5-DR-Support-csum-recalculation-flow-table-on.patch b/SPECS/kernel-hci/0035-net-mlx5-DR-Support-csum-recalculation-flow-table-on.patch new file mode 100644 index 00000000000..569e567806e --- /dev/null +++ b/SPECS/kernel-hci/0035-net-mlx5-DR-Support-csum-recalculation-flow-table-on.patch @@ -0,0 +1,176 @@ +From c0e90fc2ccaa8d7b9a781f5bc4287084b855138e Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Wed, 8 Sep 2021 19:44:11 +0300 +Subject: [PATCH 74/78] net/mlx5: DR, Support csum recalculation flow table on + SFs + +Implement csum recalculation flow tables in XAarray instead of a fixed +array, thus adding support for csum recalc table on any valid vport +number, which enables this support for SFs. + +Signed-off-by: Yevgeny Kliteynik +Reviewed-by: Muhammad Sammar +Signed-off-by: Saeed Mahameed +--- + .../mellanox/mlx5/core/steering/dr_action.c | 6 +-- + .../mellanox/mlx5/core/steering/dr_domain.c | 53 ++++++++----------- + .../mellanox/mlx5/core/steering/dr_types.h | 12 ++--- + 3 files changed, 29 insertions(+), 42 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +index d09e99afc171..a41fac349981 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +@@ -513,9 +513,9 @@ static int dr_action_handle_cs_recalc(struct mlx5dr_domain *dmn, + /* If destination is vport we will get the FW flow table + * that recalculates the CS and forwards to the vport. + */ +- ret = mlx5dr_domain_cache_get_recalc_cs_ft_addr(dest_action->vport->dmn, +- dest_action->vport->caps->num, +- final_icm_addr); ++ ret = mlx5dr_domain_get_recalc_cs_ft_addr(dest_action->vport->dmn, ++ dest_action->vport->caps->num, ++ final_icm_addr); + if (ret) { + mlx5dr_err(dmn, "Failed to get FW cs recalc flow table\n"); + return ret; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +index b61c5a8ba305..bb12e8faf096 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +@@ -9,48 +9,45 @@ + ((dmn)->info.caps.dmn_type##_sw_owner_v2 && \ + (dmn)->info.caps.sw_format_ver <= MLX5_STEERING_FORMAT_CONNECTX_6DX)) + +-static int dr_domain_init_cache(struct mlx5dr_domain *dmn) ++static void dr_domain_init_csum_recalc_fts(struct mlx5dr_domain *dmn) + { + /* Per vport cached FW FT for checksum recalculation, this +- * recalculation is needed due to a HW bug. ++ * recalculation is needed due to a HW bug in STEv0. + */ +- dmn->cache.recalc_cs_ft = kcalloc(dmn->info.caps.num_vports, +- sizeof(dmn->cache.recalc_cs_ft[0]), +- GFP_KERNEL); +- if (!dmn->cache.recalc_cs_ft) +- return -ENOMEM; +- +- return 0; ++ xa_init(&dmn->csum_fts_xa); + } + +-static void dr_domain_uninit_cache(struct mlx5dr_domain *dmn) ++static void dr_domain_uninit_csum_recalc_fts(struct mlx5dr_domain *dmn) + { +- int i; +- +- for (i = 0; i < dmn->info.caps.num_vports; i++) { +- if (!dmn->cache.recalc_cs_ft[i]) +- continue; ++ struct mlx5dr_fw_recalc_cs_ft *recalc_cs_ft; ++ unsigned long i; + +- mlx5dr_fw_destroy_recalc_cs_ft(dmn, dmn->cache.recalc_cs_ft[i]); ++ xa_for_each(&dmn->csum_fts_xa, i, recalc_cs_ft) { ++ if (recalc_cs_ft) ++ mlx5dr_fw_destroy_recalc_cs_ft(dmn, recalc_cs_ft); + } + +- kfree(dmn->cache.recalc_cs_ft); ++ xa_destroy(&dmn->csum_fts_xa); + } + +-int mlx5dr_domain_cache_get_recalc_cs_ft_addr(struct mlx5dr_domain *dmn, +- u16 vport_num, +- u64 *rx_icm_addr) ++int mlx5dr_domain_get_recalc_cs_ft_addr(struct mlx5dr_domain *dmn, ++ u16 vport_num, ++ u64 *rx_icm_addr) + { + struct mlx5dr_fw_recalc_cs_ft *recalc_cs_ft; ++ int ret; + +- recalc_cs_ft = dmn->cache.recalc_cs_ft[vport_num]; ++ recalc_cs_ft = xa_load(&dmn->csum_fts_xa, vport_num); + if (!recalc_cs_ft) { +- /* Table not in cache, need to allocate a new one */ ++ /* Table hasn't been created yet */ + recalc_cs_ft = mlx5dr_fw_create_recalc_cs_ft(dmn, vport_num); + if (!recalc_cs_ft) + return -EINVAL; + +- dmn->cache.recalc_cs_ft[vport_num] = recalc_cs_ft; ++ ret = xa_err(xa_store(&dmn->csum_fts_xa, vport_num, ++ recalc_cs_ft, GFP_KERNEL)); ++ if (ret) ++ return ret; + } + + *rx_icm_addr = recalc_cs_ft->rx_icm_addr; +@@ -346,16 +343,10 @@ mlx5dr_domain_create(struct mlx5_core_dev *mdev, enum mlx5dr_domain_type type) + goto uninit_caps; + } + +- ret = dr_domain_init_cache(dmn); +- if (ret) { +- mlx5dr_err(dmn, "Failed initialize domain cache\n"); +- goto uninit_resourses; +- } ++ dr_domain_init_csum_recalc_fts(dmn); + + return dmn; + +-uninit_resourses: +- dr_domain_uninit_resources(dmn); + uninit_caps: + dr_domain_caps_uninit(dmn); + free_domain: +@@ -394,7 +385,7 @@ int mlx5dr_domain_destroy(struct mlx5dr_domain *dmn) + + /* make sure resources are not used by the hardware */ + mlx5dr_cmd_sync_steering(dmn->mdev); +- dr_domain_uninit_cache(dmn); ++ dr_domain_uninit_csum_recalc_fts(dmn); + dr_domain_uninit_resources(dmn); + dr_domain_caps_uninit(dmn); + mutex_destroy(&dmn->info.tx.mutex); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +index 4bf8156f0a87..a9cf4f55cacf 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +@@ -827,10 +827,6 @@ struct mlx5dr_domain_info { + struct mlx5dr_cmd_caps caps; + }; + +-struct mlx5dr_domain_cache { +- struct mlx5dr_fw_recalc_cs_ft **recalc_cs_ft; +-}; +- + struct mlx5dr_domain { + struct mlx5dr_domain *peer_dmn; + struct mlx5_core_dev *mdev; +@@ -842,7 +838,7 @@ struct mlx5dr_domain { + struct mlx5dr_icm_pool *action_icm_pool; + struct mlx5dr_send_ring *send_ring; + struct mlx5dr_domain_info info; +- struct mlx5dr_domain_cache cache; ++ struct xarray csum_fts_xa; + struct mlx5dr_ste_ctx *ste_ctx; + }; + +@@ -1379,9 +1375,9 @@ struct mlx5dr_fw_recalc_cs_ft * + mlx5dr_fw_create_recalc_cs_ft(struct mlx5dr_domain *dmn, u16 vport_num); + void mlx5dr_fw_destroy_recalc_cs_ft(struct mlx5dr_domain *dmn, + struct mlx5dr_fw_recalc_cs_ft *recalc_cs_ft); +-int mlx5dr_domain_cache_get_recalc_cs_ft_addr(struct mlx5dr_domain *dmn, +- u16 vport_num, +- u64 *rx_icm_addr); ++int mlx5dr_domain_get_recalc_cs_ft_addr(struct mlx5dr_domain *dmn, ++ u16 vport_num, ++ u64 *rx_icm_addr); + int mlx5dr_fw_create_md_tbl(struct mlx5dr_domain *dmn, + struct mlx5dr_cmd_flow_destination_hw_info *dest, + int num_dest, +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0036-net-mlx5-DR-Add-support-for-SF-vports.patch b/SPECS/kernel-hci/0036-net-mlx5-DR-Add-support-for-SF-vports.patch new file mode 100644 index 00000000000..3057fe91e76 --- /dev/null +++ b/SPECS/kernel-hci/0036-net-mlx5-DR-Add-support-for-SF-vports.patch @@ -0,0 +1,394 @@ +From 11a45def2e197532c46aa908dedd52bc1ee378a2 Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Thu, 9 Sep 2021 17:32:46 +0300 +Subject: [PATCH 75/78] net/mlx5: DR, Add support for SF vports + +Move all the vport capabilities to a separate struct and store vport caps +in XArray: SFs vport numbers will not come in the same range as VF vports, +so the existing implementation of vport capabilities as a fixed size array +is not suitable here. + +XArray is a perfect fit: it is efficient when the indices used are densely +clustered. In addition to being a perfect fit as a dynamic data structure, +XArray also provides locking - it uses RCU and an internal spinlock to +synchronise access, so no additional protection needed. + +Now except for the eswitch manager vport, all other vports (including the +uplink vport) are handled in the same way: when a new go-to-vport action +is added, this vport's caps are loaded from the xarray. If it is the first +time for this particular vport number, then its capabilities are queried +from FW and filled in into the appropriate entry. + +Signed-off-by: Yevgeny Kliteynik +Reviewed-by: Muhammad Sammar +Signed-off-by: Saeed Mahameed +--- + .../mellanox/mlx5/core/steering/dr_action.c | 2 +- + .../mellanox/mlx5/core/steering/dr_domain.c | 138 +++++++++++++----- + .../mellanox/mlx5/core/steering/dr_ste_v0.c | 11 +- + .../mellanox/mlx5/core/steering/dr_ste_v1.c | 10 +- + .../mellanox/mlx5/core/steering/dr_types.h | 27 +--- + 5 files changed, 120 insertions(+), 68 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +index a41fac349981..0179d386ee48 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +@@ -1767,7 +1767,7 @@ mlx5dr_action_create_dest_vport(struct mlx5dr_domain *dmn, + return NULL; + } + +- vport_cap = mlx5dr_get_vport_cap(&vport_dmn->info.caps, vport); ++ vport_cap = mlx5dr_domain_get_vport_cap(vport_dmn, vport); + if (!vport_cap) { + mlx5dr_err(dmn, + "Failed to get vport 0x%x caps - vport is disabled or invalid\n", +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +index bb12e8faf096..49089cbe897c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +@@ -121,6 +121,18 @@ static void dr_domain_uninit_resources(struct mlx5dr_domain *dmn) + mlx5_core_dealloc_pd(dmn->mdev, dmn->pdn); + } + ++static void dr_domain_fill_uplink_caps(struct mlx5dr_domain *dmn, ++ struct mlx5dr_cmd_vport_cap *uplink_vport) ++{ ++ struct mlx5dr_esw_caps *esw_caps = &dmn->info.caps.esw_caps; ++ ++ uplink_vport->num = MLX5_VPORT_UPLINK; ++ uplink_vport->icm_address_rx = esw_caps->uplink_icm_address_rx; ++ uplink_vport->icm_address_tx = esw_caps->uplink_icm_address_tx; ++ uplink_vport->vport_gvmi = 0; ++ uplink_vport->vhca_gvmi = dmn->info.caps.gvmi; ++} ++ + static int dr_domain_query_vport(struct mlx5dr_domain *dmn, + u16 vport_number, + struct mlx5dr_cmd_vport_cap *vport_caps) +@@ -129,6 +141,11 @@ static int dr_domain_query_vport(struct mlx5dr_domain *dmn, + bool other_vport = true; + int ret; + ++ if (vport_number == MLX5_VPORT_UPLINK) { ++ dr_domain_fill_uplink_caps(dmn, vport_caps); ++ return 0; ++ } ++ + if (dmn->info.caps.is_ecpf && vport_number == MLX5_VPORT_ECPF) { + other_vport = false; + cmd_vport = 0; +@@ -159,36 +176,78 @@ static int dr_domain_query_esw_mngr(struct mlx5dr_domain *dmn) + { + return dr_domain_query_vport(dmn, + dmn->info.caps.is_ecpf ? MLX5_VPORT_ECPF : 0, +- &dmn->info.caps.esw_manager_vport_caps); ++ &dmn->info.caps.vports.esw_manager_caps); + } + +-static int dr_domain_query_vports(struct mlx5dr_domain *dmn) ++static struct mlx5dr_cmd_vport_cap * ++dr_domain_add_vport_cap(struct mlx5dr_domain *dmn, u16 vport) + { +- struct mlx5dr_esw_caps *esw_caps = &dmn->info.caps.esw_caps; +- struct mlx5dr_cmd_vport_cap *wire_vport; +- int vport; ++ struct mlx5dr_cmd_caps *caps = &dmn->info.caps; ++ struct mlx5dr_cmd_vport_cap *vport_caps; + int ret; + +- ret = dr_domain_query_esw_mngr(dmn); +- if (ret) +- return ret; ++ vport_caps = kvzalloc(sizeof(*vport_caps), GFP_KERNEL); ++ if (!vport_caps) ++ return NULL; + +- /* Query vports (except wire vport) */ +- for (vport = 0; vport < dmn->info.caps.num_esw_ports - 1; vport++) { +- ret = dr_domain_query_vport(dmn, +- vport, +- &dmn->info.caps.vports_caps[vport]); +- if (ret) +- return ret; ++ ret = dr_domain_query_vport(dmn, vport, vport_caps); ++ if (ret) { ++ kvfree(vport_caps); ++ return NULL; + } + +- /* Last vport is the wire port */ +- wire_vport = &dmn->info.caps.vports_caps[vport]; +- wire_vport->num = MLX5_VPORT_UPLINK; +- wire_vport->icm_address_rx = esw_caps->uplink_icm_address_rx; +- wire_vport->icm_address_tx = esw_caps->uplink_icm_address_tx; +- wire_vport->vport_gvmi = 0; +- wire_vport->vhca_gvmi = dmn->info.caps.gvmi; ++ ret = xa_insert(&caps->vports.vports_caps_xa, vport, ++ vport_caps, GFP_KERNEL); ++ if (ret) { ++ mlx5dr_dbg(dmn, "Couldn't insert new vport into xarray (%d)\n", ret); ++ kvfree(vport_caps); ++ return ERR_PTR(ret); ++ } ++ ++ return vport_caps; ++} ++ ++struct mlx5dr_cmd_vport_cap * ++mlx5dr_domain_get_vport_cap(struct mlx5dr_domain *dmn, u16 vport) ++{ ++ struct mlx5dr_cmd_caps *caps = &dmn->info.caps; ++ struct mlx5dr_cmd_vport_cap *vport_caps; ++ ++ if ((caps->is_ecpf && vport == MLX5_VPORT_ECPF) || ++ (!caps->is_ecpf && vport == 0)) ++ return &caps->vports.esw_manager_caps; ++ ++vport_load: ++ vport_caps = xa_load(&caps->vports.vports_caps_xa, vport); ++ if (vport_caps) ++ return vport_caps; ++ ++ vport_caps = dr_domain_add_vport_cap(dmn, vport); ++ if (PTR_ERR(vport_caps) == -EBUSY) ++ /* caps were already stored by another thread */ ++ goto vport_load; ++ ++ return vport_caps; ++} ++ ++static void dr_domain_clear_vports(struct mlx5dr_domain *dmn) ++{ ++ struct mlx5dr_cmd_vport_cap *vport_caps; ++ unsigned long i; ++ ++ xa_for_each(&dmn->info.caps.vports.vports_caps_xa, i, vport_caps) { ++ vport_caps = xa_erase(&dmn->info.caps.vports.vports_caps_xa, i); ++ kvfree(vport_caps); ++ } ++} ++ ++static int dr_domain_query_uplink(struct mlx5dr_domain *dmn) ++{ ++ struct mlx5dr_cmd_vport_cap *vport_caps; ++ ++ vport_caps = mlx5dr_domain_get_vport_cap(dmn, MLX5_VPORT_UPLINK); ++ if (!vport_caps) ++ return -EINVAL; + + return 0; + } +@@ -210,25 +269,29 @@ static int dr_domain_query_fdb_caps(struct mlx5_core_dev *mdev, + dmn->info.caps.esw_rx_drop_address = dmn->info.caps.esw_caps.drop_icm_address_rx; + dmn->info.caps.esw_tx_drop_address = dmn->info.caps.esw_caps.drop_icm_address_tx; + +- dmn->info.caps.vports_caps = kcalloc(dmn->info.caps.num_esw_ports, +- sizeof(dmn->info.caps.vports_caps[0]), +- GFP_KERNEL); +- if (!dmn->info.caps.vports_caps) +- return -ENOMEM; ++ xa_init(&dmn->info.caps.vports.vports_caps_xa); ++ ++ /* Query eswitch manager and uplink vports only. Rest of the ++ * vports (vport 0, VFs and SFs) will be queried dynamically. ++ */ + +- ret = dr_domain_query_vports(dmn); ++ ret = dr_domain_query_esw_mngr(dmn); + if (ret) { +- mlx5dr_err(dmn, "Failed to query vports caps (err: %d)", ret); +- goto free_vports_caps; ++ mlx5dr_err(dmn, "Failed to query eswitch manager vport caps (err: %d)", ret); ++ goto free_vports_caps_xa; + } + +- dmn->info.caps.num_vports = dmn->info.caps.num_esw_ports - 1; ++ ret = dr_domain_query_uplink(dmn); ++ if (ret) { ++ mlx5dr_err(dmn, "Failed to query uplink vport caps (err: %d)", ret); ++ goto free_vports_caps_xa; ++ } + + return 0; + +-free_vports_caps: +- kfree(dmn->info.caps.vports_caps); +- dmn->info.caps.vports_caps = NULL; ++free_vports_caps_xa: ++ xa_destroy(&dmn->info.caps.vports.vports_caps_xa); ++ + return ret; + } + +@@ -243,8 +306,6 @@ static int dr_domain_caps_init(struct mlx5_core_dev *mdev, + return -EOPNOTSUPP; + } + +- dmn->info.caps.num_esw_ports = mlx5_eswitch_get_total_vports(mdev); +- + ret = mlx5dr_cmd_query_device(mdev, &dmn->info.caps); + if (ret) + return ret; +@@ -281,7 +342,7 @@ static int dr_domain_caps_init(struct mlx5_core_dev *mdev, + + dmn->info.rx.type = DR_DOMAIN_NIC_TYPE_RX; + dmn->info.tx.type = DR_DOMAIN_NIC_TYPE_TX; +- vport_cap = &dmn->info.caps.esw_manager_vport_caps; ++ vport_cap = &dmn->info.caps.vports.esw_manager_caps; + + dmn->info.supp_sw_steering = true; + dmn->info.tx.default_icm_addr = vport_cap->icm_address_tx; +@@ -300,7 +361,8 @@ static int dr_domain_caps_init(struct mlx5_core_dev *mdev, + + static void dr_domain_caps_uninit(struct mlx5dr_domain *dmn) + { +- kfree(dmn->info.caps.vports_caps); ++ dr_domain_clear_vports(dmn); ++ xa_destroy(&dmn->info.caps.vports.vports_caps_xa); + } + + struct mlx5dr_domain * +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c +index 507719322af8..b0649c2877dd 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c +@@ -1645,7 +1645,7 @@ dr_ste_v0_build_src_gvmi_qpn_tag(struct mlx5dr_match_param *value, + struct mlx5dr_match_misc *misc = &value->misc; + struct mlx5dr_cmd_vport_cap *vport_cap; + struct mlx5dr_domain *dmn = sb->dmn; +- struct mlx5dr_cmd_caps *caps; ++ struct mlx5dr_domain *vport_dmn; + u8 *bit_mask = sb->bit_mask; + bool source_gvmi_set; + +@@ -1654,21 +1654,22 @@ dr_ste_v0_build_src_gvmi_qpn_tag(struct mlx5dr_match_param *value, + if (sb->vhca_id_valid) { + /* Find port GVMI based on the eswitch_owner_vhca_id */ + if (misc->source_eswitch_owner_vhca_id == dmn->info.caps.gvmi) +- caps = &dmn->info.caps; ++ vport_dmn = dmn; + else if (dmn->peer_dmn && (misc->source_eswitch_owner_vhca_id == + dmn->peer_dmn->info.caps.gvmi)) +- caps = &dmn->peer_dmn->info.caps; ++ vport_dmn = dmn->peer_dmn; + else + return -EINVAL; + + misc->source_eswitch_owner_vhca_id = 0; + } else { +- caps = &dmn->info.caps; ++ vport_dmn = dmn; + } + + source_gvmi_set = MLX5_GET(ste_src_gvmi_qp, bit_mask, source_gvmi); + if (source_gvmi_set) { +- vport_cap = mlx5dr_get_vport_cap(caps, misc->source_port); ++ vport_cap = mlx5dr_domain_get_vport_cap(vport_dmn, ++ misc->source_port); + if (!vport_cap) { + mlx5dr_err(dmn, "Vport 0x%x is disabled or invalid\n", + misc->source_port); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c +index 33e6299026f7..3497c2cf3118 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c +@@ -1776,7 +1776,7 @@ static int dr_ste_v1_build_src_gvmi_qpn_tag(struct mlx5dr_match_param *value, + struct mlx5dr_match_misc *misc = &value->misc; + struct mlx5dr_cmd_vport_cap *vport_cap; + struct mlx5dr_domain *dmn = sb->dmn; +- struct mlx5dr_cmd_caps *caps; ++ struct mlx5dr_domain *vport_dmn; + u8 *bit_mask = sb->bit_mask; + + DR_STE_SET_TAG(src_gvmi_qp_v1, tag, source_qp, misc, source_sqn); +@@ -1784,22 +1784,22 @@ static int dr_ste_v1_build_src_gvmi_qpn_tag(struct mlx5dr_match_param *value, + if (sb->vhca_id_valid) { + /* Find port GVMI based on the eswitch_owner_vhca_id */ + if (misc->source_eswitch_owner_vhca_id == dmn->info.caps.gvmi) +- caps = &dmn->info.caps; ++ vport_dmn = dmn; + else if (dmn->peer_dmn && (misc->source_eswitch_owner_vhca_id == + dmn->peer_dmn->info.caps.gvmi)) +- caps = &dmn->peer_dmn->info.caps; ++ vport_dmn = dmn->peer_dmn; + else + return -EINVAL; + + misc->source_eswitch_owner_vhca_id = 0; + } else { +- caps = &dmn->info.caps; ++ vport_dmn = dmn; + } + + if (!MLX5_GET(ste_src_gvmi_qp_v1, bit_mask, source_gvmi)) + return 0; + +- vport_cap = mlx5dr_get_vport_cap(caps, misc->source_port); ++ vport_cap = mlx5dr_domain_get_vport_cap(vport_dmn, misc->source_port); + if (!vport_cap) { + mlx5dr_err(dmn, "Vport 0x%x is disabled or invalid\n", + misc->source_port); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +index a9cf4f55cacf..01787b9d5a57 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +@@ -762,6 +762,11 @@ struct mlx5dr_roce_cap { + u8 fl_rc_qp_when_roce_enabled:1; + }; + ++struct mlx5dr_vports { ++ struct mlx5dr_cmd_vport_cap esw_manager_caps; ++ struct xarray vports_caps_xa; ++}; ++ + struct mlx5dr_cmd_caps { + u16 gvmi; + u64 nic_rx_drop_address; +@@ -785,7 +790,6 @@ struct mlx5dr_cmd_caps { + u8 flex_parser_id_gtpu_first_ext_dw_0; + u8 max_ft_level; + u16 roce_min_src_udp; +- u8 num_esw_ports; + u8 sw_format_ver; + bool eswitch_manager; + bool rx_sw_owner; +@@ -794,10 +798,8 @@ struct mlx5dr_cmd_caps { + u8 rx_sw_owner_v2:1; + u8 tx_sw_owner_v2:1; + u8 fdb_sw_owner_v2:1; +- u32 num_vports; + struct mlx5dr_esw_caps esw_caps; +- struct mlx5dr_cmd_vport_cap *vports_caps; +- struct mlx5dr_cmd_vport_cap esw_manager_vport_caps; ++ struct mlx5dr_vports vports; + bool prio_tag_required; + struct mlx5dr_roce_cap roce_caps; + u8 is_ecpf:1; +@@ -1099,21 +1101,8 @@ mlx5dr_ste_htbl_may_grow(struct mlx5dr_ste_htbl *htbl) + return true; + } + +-static inline struct mlx5dr_cmd_vport_cap * +-mlx5dr_get_vport_cap(struct mlx5dr_cmd_caps *caps, u16 vport) +-{ +- if (caps->is_ecpf && vport == MLX5_VPORT_ECPF) +- return &caps->esw_manager_vport_caps; +- +- if (!caps->vports_caps || +- (vport >= caps->num_vports && vport != MLX5_VPORT_UPLINK)) +- return NULL; +- +- if (vport == MLX5_VPORT_UPLINK) +- vport = caps->num_vports; +- +- return &caps->vports_caps[vport]; +-} ++struct mlx5dr_cmd_vport_cap * ++mlx5dr_domain_get_vport_cap(struct mlx5dr_domain *dmn, u16 vport); + + struct mlx5dr_cmd_query_flow_table_details { + u8 status; +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0037-net-mlx5-DR-Increase-supported-num-of-actions-to-32.patch b/SPECS/kernel-hci/0037-net-mlx5-DR-Increase-supported-num-of-actions-to-32.patch new file mode 100644 index 00000000000..3f8b87fc4ed --- /dev/null +++ b/SPECS/kernel-hci/0037-net-mlx5-DR-Increase-supported-num-of-actions-to-32.patch @@ -0,0 +1,30 @@ +From 1ffd498901c1134a7cbecf5409e12c064c39cef9 Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Sat, 11 Sep 2021 11:44:01 +0300 +Subject: [PATCH 76/78] net/mlx5: DR, Increase supported num of actions to 32 + +Increase max supported number of actions in the same rule. + +Signed-off-by: Hamdan Igbaria +Signed-off-by: Yevgeny Kliteynik +Signed-off-by: Saeed Mahameed +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c +index 7e58f4e594b7..230e920e3845 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c +@@ -222,7 +222,7 @@ static bool contain_vport_reformat_action(struct mlx5_flow_rule *dst) + dst->dest_attr.vport.flags & MLX5_FLOW_DEST_VPORT_REFORMAT_ID; + } + +-#define MLX5_FLOW_CONTEXT_ACTION_MAX 20 ++#define MLX5_FLOW_CONTEXT_ACTION_MAX 32 + static int mlx5_cmd_dr_create_fte(struct mlx5_flow_root_namespace *ns, + struct mlx5_flow_table *ft, + struct mlx5_flow_group *group, +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0038-net-mlx5-DR-Fix-typo-offeset-to-offset.patch b/SPECS/kernel-hci/0038-net-mlx5-DR-Fix-typo-offeset-to-offset.patch new file mode 100644 index 00000000000..b202967b244 --- /dev/null +++ b/SPECS/kernel-hci/0038-net-mlx5-DR-Fix-typo-offeset-to-offset.patch @@ -0,0 +1,41 @@ +From 5dde00a73048304f04cac22c4c02198e2f9e74f8 Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Thu, 12 Aug 2021 03:00:52 +0300 +Subject: [PATCH 77/78] net/mlx5: DR, Fix typo 'offeset' to 'offset' + +Signed-off-by: Yevgeny Kliteynik +Signed-off-by: Saeed Mahameed +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +index 0179d386ee48..00199b3eae6a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +@@ -632,7 +632,7 @@ int mlx5dr_actions_build_ste_arr(struct mlx5dr_matcher *matcher, + return -EOPNOTSUPP; + case DR_ACTION_TYP_CTR: + attr.ctr_id = action->ctr->ctr_id + +- action->ctr->offeset; ++ action->ctr->offset; + break; + case DR_ACTION_TYP_TAG: + attr.flow_tag = action->flow_tag->flow_tag; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +index 01787b9d5a57..73fed94af09a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +@@ -941,7 +941,7 @@ struct mlx5dr_action_dest_tbl { + + struct mlx5dr_action_ctr { + u32 ctr_id; +- u32 offeset; ++ u32 offset; + }; + + struct mlx5dr_action_vport { +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0039-net-mlx5-DR-init_next_match-only-if-needed.patch b/SPECS/kernel-hci/0039-net-mlx5-DR-init_next_match-only-if-needed.patch new file mode 100644 index 00000000000..93a1df65837 --- /dev/null +++ b/SPECS/kernel-hci/0039-net-mlx5-DR-init_next_match-only-if-needed.patch @@ -0,0 +1,35 @@ +From 515ce2ffa62175d5442302a72553a14e5165441e Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Sun, 19 Sep 2021 18:48:07 +0300 +Subject: [PATCH 78/78] net/mlx5: DR, init_next_match only if needed + +Allocate next steering table entry only if the remaining space requires to. + +Signed-off-by: Yevgeny Kliteynik +Signed-off-by: Saeed Mahameed +--- + .../net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c +index 3497c2cf3118..cb9cf67b0a02 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c +@@ -586,9 +586,11 @@ static void dr_ste_v1_set_actions_tx(struct mlx5dr_domain *dmn, + } else if (action_type_set[DR_ACTION_TYP_L2_TO_TNL_L3]) { + u8 *d_action; + +- dr_ste_v1_arr_init_next_match(&last_ste, added_stes, attr->gvmi); +- action = MLX5_ADDR_OF(ste_mask_and_match_v1, last_ste, action); +- action_sz = DR_STE_ACTION_TRIPLE_SZ; ++ if (action_sz < DR_STE_ACTION_TRIPLE_SZ) { ++ dr_ste_v1_arr_init_next_match(&last_ste, added_stes, attr->gvmi); ++ action = MLX5_ADDR_OF(ste_mask_and_match_v1, last_ste, action); ++ action_sz = DR_STE_ACTION_TRIPLE_SZ; ++ } + d_action = action + DR_STE_ACTION_SINGLE_SZ; + + dr_ste_v1_set_encap_l3(last_ste, +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0040-net-mlx5-DR-Add-check-for-unsupported-fields-in-matc.patch b/SPECS/kernel-hci/0040-net-mlx5-DR-Add-check-for-unsupported-fields-in-matc.patch new file mode 100644 index 00000000000..fe05e28394e --- /dev/null +++ b/SPECS/kernel-hci/0040-net-mlx5-DR-Add-check-for-unsupported-fields-in-matc.patch @@ -0,0 +1,513 @@ +From d0d09abcff67b1570ad505ddc38fb49d848cd90a Mon Sep 17 00:00:00 2001 +From: Muhammad Sammar +Date: Mon, 5 Jul 2021 15:39:38 +0300 +Subject: [PATCH 30/58] net/mlx5: DR, Add check for unsupported fields in match + param + +When a matcher is being built, we "consume" (clear) mask fields one by one, +and to verify that we do support all the required fields we check if the +whole mask was consumed, else the matching request includes unsupported +fields. + +Signed-off-by: Muhammad Sammar +Signed-off-by: Saeed Mahameed +Reviewed-by: Yevgeny Kliteynik +Change-Id: I70a6645bb4fb3f297d42d8caa05a47092881c4d5 +--- + .../mellanox/mlx5/core/steering/dr_matcher.c | 28 +- + .../mellanox/mlx5/core/steering/dr_rule.c | 2 +- + .../mellanox/mlx5/core/steering/dr_ste.c | 272 +++++++++--------- + .../mellanox/mlx5/core/steering/dr_types.h | 3 +- + 4 files changed, 172 insertions(+), 133 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c +index a19e8157c100..ce7679893544 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c +@@ -863,9 +863,10 @@ static int dr_matcher_init_fdb(struct mlx5dr_matcher *matcher) + static int dr_matcher_init(struct mlx5dr_matcher *matcher, + struct mlx5dr_match_parameters *mask) + { ++ struct mlx5dr_match_parameters consumed_mask; + struct mlx5dr_table *tbl = matcher->tbl; + struct mlx5dr_domain *dmn = tbl->dmn; +- int ret; ++ int i, ret; + + if (matcher->match_criteria >= DR_MATCHER_CRITERIA_MAX) { + mlx5dr_err(dmn, "Invalid match criteria attribute\n"); +@@ -877,8 +878,16 @@ static int dr_matcher_init(struct mlx5dr_matcher *matcher, + mlx5dr_err(dmn, "Invalid match size attribute\n"); + return -EINVAL; + } ++ ++ consumed_mask.match_buf = kzalloc(mask->match_sz, GFP_KERNEL); ++ if (!consumed_mask.match_buf) ++ return -ENOMEM; ++ ++ consumed_mask.match_sz = mask->match_sz; ++ memcpy(consumed_mask.match_buf, mask->match_buf, mask->match_sz); + mlx5dr_ste_copy_param(matcher->match_criteria, +- &matcher->mask, mask); ++ &matcher->mask, &consumed_mask, ++ true); + } + + switch (dmn->type) { +@@ -897,9 +906,22 @@ static int dr_matcher_init(struct mlx5dr_matcher *matcher, + break; + default: + WARN_ON(true); +- return -EINVAL; ++ ret = -EINVAL; ++ goto free_consumed_mask; ++ } ++ ++ /* Check that all mask data was consumed */ ++ for (i = 0; i < consumed_mask.match_sz; i++) { ++ if (consumed_mask.match_buf[i]) { ++ mlx5dr_dbg(dmn, "Match param mask contains unsupported parameters\n"); ++ ret = -EOPNOTSUPP; ++ goto free_consumed_mask; ++ } + } + ++ ret = 0; ++free_consumed_mask: ++ kfree(consumed_mask.match_buf); + return ret; + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c +index 323ea138ad99..6a390e981b09 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c +@@ -917,7 +917,7 @@ static bool dr_rule_verify(struct mlx5dr_matcher *matcher, + return false; + } + +- mlx5dr_ste_copy_param(matcher->match_criteria, param, value); ++ mlx5dr_ste_copy_param(matcher->match_criteria, param, value, false); + + if (match_criteria & DR_MATCHER_CRITERIA_OUTER) { + s_idx = offsetof(struct mlx5dr_match_param, outer); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c +index 01246a1ae7d1..7e711b2037b5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c +@@ -698,101 +698,116 @@ int mlx5dr_ste_build_ste_arr(struct mlx5dr_matcher *matcher, + return 0; + } + +-static void dr_ste_copy_mask_misc(char *mask, struct mlx5dr_match_misc *spec) +-{ +- spec->gre_c_present = MLX5_GET(fte_match_set_misc, mask, gre_c_present); +- spec->gre_k_present = MLX5_GET(fte_match_set_misc, mask, gre_k_present); +- spec->gre_s_present = MLX5_GET(fte_match_set_misc, mask, gre_s_present); +- spec->source_vhca_port = MLX5_GET(fte_match_set_misc, mask, source_vhca_port); +- spec->source_sqn = MLX5_GET(fte_match_set_misc, mask, source_sqn); +- +- spec->source_port = MLX5_GET(fte_match_set_misc, mask, source_port); +- spec->source_eswitch_owner_vhca_id = MLX5_GET(fte_match_set_misc, mask, +- source_eswitch_owner_vhca_id); +- +- spec->outer_second_prio = MLX5_GET(fte_match_set_misc, mask, outer_second_prio); +- spec->outer_second_cfi = MLX5_GET(fte_match_set_misc, mask, outer_second_cfi); +- spec->outer_second_vid = MLX5_GET(fte_match_set_misc, mask, outer_second_vid); +- spec->inner_second_prio = MLX5_GET(fte_match_set_misc, mask, inner_second_prio); +- spec->inner_second_cfi = MLX5_GET(fte_match_set_misc, mask, inner_second_cfi); +- spec->inner_second_vid = MLX5_GET(fte_match_set_misc, mask, inner_second_vid); ++#define IFC_GET_CLR(typ, p, fld, clear) ({ \ ++ void *__p = (p); \ ++ u32 __t = MLX5_GET(typ, __p, fld); \ ++ if (clear) \ ++ MLX5_SET(typ, __p, fld, 0); \ ++ __t; \ ++}) ++ ++#define memcpy_and_clear(to, from, len, clear) ({ \ ++ void *__to = (to), *__from = (from); \ ++ size_t __len = (len); \ ++ memcpy(__to, __from, __len); \ ++ if (clear) \ ++ memset(__from, 0, __len); \ ++}) ++ ++static void dr_ste_copy_mask_misc(char *mask, struct mlx5dr_match_misc *spec, bool clr) ++{ ++ spec->gre_c_present = IFC_GET_CLR(fte_match_set_misc, mask, gre_c_present, clr); ++ spec->gre_k_present = IFC_GET_CLR(fte_match_set_misc, mask, gre_k_present, clr); ++ spec->gre_s_present = IFC_GET_CLR(fte_match_set_misc, mask, gre_s_present, clr); ++ spec->source_vhca_port = IFC_GET_CLR(fte_match_set_misc, mask, source_vhca_port, clr); ++ spec->source_sqn = IFC_GET_CLR(fte_match_set_misc, mask, source_sqn, clr); ++ ++ spec->source_port = IFC_GET_CLR(fte_match_set_misc, mask, source_port, clr); ++ spec->source_eswitch_owner_vhca_id = ++ IFC_GET_CLR(fte_match_set_misc, mask, source_eswitch_owner_vhca_id, clr); ++ ++ spec->outer_second_prio = IFC_GET_CLR(fte_match_set_misc, mask, outer_second_prio, clr); ++ spec->outer_second_cfi = IFC_GET_CLR(fte_match_set_misc, mask, outer_second_cfi, clr); ++ spec->outer_second_vid = IFC_GET_CLR(fte_match_set_misc, mask, outer_second_vid, clr); ++ spec->inner_second_prio = IFC_GET_CLR(fte_match_set_misc, mask, inner_second_prio, clr); ++ spec->inner_second_cfi = IFC_GET_CLR(fte_match_set_misc, mask, inner_second_cfi, clr); ++ spec->inner_second_vid = IFC_GET_CLR(fte_match_set_misc, mask, inner_second_vid, clr); + + spec->outer_second_cvlan_tag = +- MLX5_GET(fte_match_set_misc, mask, outer_second_cvlan_tag); ++ IFC_GET_CLR(fte_match_set_misc, mask, outer_second_cvlan_tag, clr); + spec->inner_second_cvlan_tag = +- MLX5_GET(fte_match_set_misc, mask, inner_second_cvlan_tag); ++ IFC_GET_CLR(fte_match_set_misc, mask, inner_second_cvlan_tag, clr); + spec->outer_second_svlan_tag = +- MLX5_GET(fte_match_set_misc, mask, outer_second_svlan_tag); ++ IFC_GET_CLR(fte_match_set_misc, mask, outer_second_svlan_tag, clr); + spec->inner_second_svlan_tag = +- MLX5_GET(fte_match_set_misc, mask, inner_second_svlan_tag); +- +- spec->gre_protocol = MLX5_GET(fte_match_set_misc, mask, gre_protocol); ++ IFC_GET_CLR(fte_match_set_misc, mask, inner_second_svlan_tag, clr); ++ spec->gre_protocol = IFC_GET_CLR(fte_match_set_misc, mask, gre_protocol, clr); + +- spec->gre_key_h = MLX5_GET(fte_match_set_misc, mask, gre_key.nvgre.hi); +- spec->gre_key_l = MLX5_GET(fte_match_set_misc, mask, gre_key.nvgre.lo); ++ spec->gre_key_h = IFC_GET_CLR(fte_match_set_misc, mask, gre_key.nvgre.hi, clr); ++ spec->gre_key_l = IFC_GET_CLR(fte_match_set_misc, mask, gre_key.nvgre.lo, clr); + +- spec->vxlan_vni = MLX5_GET(fte_match_set_misc, mask, vxlan_vni); ++ spec->vxlan_vni = IFC_GET_CLR(fte_match_set_misc, mask, vxlan_vni, clr); + +- spec->geneve_vni = MLX5_GET(fte_match_set_misc, mask, geneve_vni); +- spec->geneve_oam = MLX5_GET(fte_match_set_misc, mask, geneve_oam); ++ spec->geneve_vni = IFC_GET_CLR(fte_match_set_misc, mask, geneve_vni, clr); ++ spec->geneve_oam = IFC_GET_CLR(fte_match_set_misc, mask, geneve_oam, clr); + + spec->outer_ipv6_flow_label = +- MLX5_GET(fte_match_set_misc, mask, outer_ipv6_flow_label); ++ IFC_GET_CLR(fte_match_set_misc, mask, outer_ipv6_flow_label, clr); + + spec->inner_ipv6_flow_label = +- MLX5_GET(fte_match_set_misc, mask, inner_ipv6_flow_label); ++ IFC_GET_CLR(fte_match_set_misc, mask, inner_ipv6_flow_label, clr); + +- spec->geneve_opt_len = MLX5_GET(fte_match_set_misc, mask, geneve_opt_len); ++ spec->geneve_opt_len = IFC_GET_CLR(fte_match_set_misc, mask, geneve_opt_len, clr); + spec->geneve_protocol_type = +- MLX5_GET(fte_match_set_misc, mask, geneve_protocol_type); ++ IFC_GET_CLR(fte_match_set_misc, mask, geneve_protocol_type, clr); + +- spec->bth_dst_qp = MLX5_GET(fte_match_set_misc, mask, bth_dst_qp); ++ spec->bth_dst_qp = IFC_GET_CLR(fte_match_set_misc, mask, bth_dst_qp, clr); + } + +-static void dr_ste_copy_mask_spec(char *mask, struct mlx5dr_match_spec *spec) ++static void dr_ste_copy_mask_spec(char *mask, struct mlx5dr_match_spec *spec, bool clr) + { + __be32 raw_ip[4]; + +- spec->smac_47_16 = MLX5_GET(fte_match_set_lyr_2_4, mask, smac_47_16); ++ spec->smac_47_16 = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, smac_47_16, clr); + +- spec->smac_15_0 = MLX5_GET(fte_match_set_lyr_2_4, mask, smac_15_0); +- spec->ethertype = MLX5_GET(fte_match_set_lyr_2_4, mask, ethertype); ++ spec->smac_15_0 = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, smac_15_0, clr); ++ spec->ethertype = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, ethertype, clr); + +- spec->dmac_47_16 = MLX5_GET(fte_match_set_lyr_2_4, mask, dmac_47_16); ++ spec->dmac_47_16 = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, dmac_47_16, clr); + +- spec->dmac_15_0 = MLX5_GET(fte_match_set_lyr_2_4, mask, dmac_15_0); +- spec->first_prio = MLX5_GET(fte_match_set_lyr_2_4, mask, first_prio); +- spec->first_cfi = MLX5_GET(fte_match_set_lyr_2_4, mask, first_cfi); +- spec->first_vid = MLX5_GET(fte_match_set_lyr_2_4, mask, first_vid); ++ spec->dmac_15_0 = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, dmac_15_0, clr); ++ spec->first_prio = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, first_prio, clr); ++ spec->first_cfi = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, first_cfi, clr); ++ spec->first_vid = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, first_vid, clr); + +- spec->ip_protocol = MLX5_GET(fte_match_set_lyr_2_4, mask, ip_protocol); +- spec->ip_dscp = MLX5_GET(fte_match_set_lyr_2_4, mask, ip_dscp); +- spec->ip_ecn = MLX5_GET(fte_match_set_lyr_2_4, mask, ip_ecn); +- spec->cvlan_tag = MLX5_GET(fte_match_set_lyr_2_4, mask, cvlan_tag); +- spec->svlan_tag = MLX5_GET(fte_match_set_lyr_2_4, mask, svlan_tag); +- spec->frag = MLX5_GET(fte_match_set_lyr_2_4, mask, frag); +- spec->ip_version = MLX5_GET(fte_match_set_lyr_2_4, mask, ip_version); +- spec->tcp_flags = MLX5_GET(fte_match_set_lyr_2_4, mask, tcp_flags); +- spec->tcp_sport = MLX5_GET(fte_match_set_lyr_2_4, mask, tcp_sport); +- spec->tcp_dport = MLX5_GET(fte_match_set_lyr_2_4, mask, tcp_dport); ++ spec->ip_protocol = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, ip_protocol, clr); ++ spec->ip_dscp = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, ip_dscp, clr); ++ spec->ip_ecn = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, ip_ecn, clr); ++ spec->cvlan_tag = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, cvlan_tag, clr); ++ spec->svlan_tag = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, svlan_tag, clr); ++ spec->frag = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, frag, clr); ++ spec->ip_version = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, ip_version, clr); ++ spec->tcp_flags = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, tcp_flags, clr); ++ spec->tcp_sport = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, tcp_sport, clr); ++ spec->tcp_dport = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, tcp_dport, clr); + +- spec->ttl_hoplimit = MLX5_GET(fte_match_set_lyr_2_4, mask, ttl_hoplimit); ++ spec->ttl_hoplimit = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, ttl_hoplimit, clr); + +- spec->udp_sport = MLX5_GET(fte_match_set_lyr_2_4, mask, udp_sport); +- spec->udp_dport = MLX5_GET(fte_match_set_lyr_2_4, mask, udp_dport); ++ spec->udp_sport = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, udp_sport, clr); ++ spec->udp_dport = IFC_GET_CLR(fte_match_set_lyr_2_4, mask, udp_dport, clr); + +- memcpy(raw_ip, MLX5_ADDR_OF(fte_match_set_lyr_2_4, mask, +- src_ipv4_src_ipv6.ipv6_layout.ipv6), +- sizeof(raw_ip)); ++ memcpy_and_clear(raw_ip, MLX5_ADDR_OF(fte_match_set_lyr_2_4, mask, ++ src_ipv4_src_ipv6.ipv6_layout.ipv6), ++ sizeof(raw_ip), clr); + + spec->src_ip_127_96 = be32_to_cpu(raw_ip[0]); + spec->src_ip_95_64 = be32_to_cpu(raw_ip[1]); + spec->src_ip_63_32 = be32_to_cpu(raw_ip[2]); + spec->src_ip_31_0 = be32_to_cpu(raw_ip[3]); + +- memcpy(raw_ip, MLX5_ADDR_OF(fte_match_set_lyr_2_4, mask, +- dst_ipv4_dst_ipv6.ipv6_layout.ipv6), +- sizeof(raw_ip)); ++ memcpy_and_clear(raw_ip, MLX5_ADDR_OF(fte_match_set_lyr_2_4, mask, ++ dst_ipv4_dst_ipv6.ipv6_layout.ipv6), ++ sizeof(raw_ip), clr); + + spec->dst_ip_127_96 = be32_to_cpu(raw_ip[0]); + spec->dst_ip_95_64 = be32_to_cpu(raw_ip[1]); +@@ -800,104 +815,105 @@ static void dr_ste_copy_mask_spec(char *mask, struct mlx5dr_match_spec *spec) + spec->dst_ip_31_0 = be32_to_cpu(raw_ip[3]); + } + +-static void dr_ste_copy_mask_misc2(char *mask, struct mlx5dr_match_misc2 *spec) ++static void dr_ste_copy_mask_misc2(char *mask, struct mlx5dr_match_misc2 *spec, bool clr) + { + spec->outer_first_mpls_label = +- MLX5_GET(fte_match_set_misc2, mask, outer_first_mpls.mpls_label); ++ IFC_GET_CLR(fte_match_set_misc2, mask, outer_first_mpls.mpls_label, clr); + spec->outer_first_mpls_exp = +- MLX5_GET(fte_match_set_misc2, mask, outer_first_mpls.mpls_exp); ++ IFC_GET_CLR(fte_match_set_misc2, mask, outer_first_mpls.mpls_exp, clr); + spec->outer_first_mpls_s_bos = +- MLX5_GET(fte_match_set_misc2, mask, outer_first_mpls.mpls_s_bos); ++ IFC_GET_CLR(fte_match_set_misc2, mask, outer_first_mpls.mpls_s_bos, clr); + spec->outer_first_mpls_ttl = +- MLX5_GET(fte_match_set_misc2, mask, outer_first_mpls.mpls_ttl); ++ IFC_GET_CLR(fte_match_set_misc2, mask, outer_first_mpls.mpls_ttl, clr); + spec->inner_first_mpls_label = +- MLX5_GET(fte_match_set_misc2, mask, inner_first_mpls.mpls_label); ++ IFC_GET_CLR(fte_match_set_misc2, mask, inner_first_mpls.mpls_label, clr); + spec->inner_first_mpls_exp = +- MLX5_GET(fte_match_set_misc2, mask, inner_first_mpls.mpls_exp); ++ IFC_GET_CLR(fte_match_set_misc2, mask, inner_first_mpls.mpls_exp, clr); + spec->inner_first_mpls_s_bos = +- MLX5_GET(fte_match_set_misc2, mask, inner_first_mpls.mpls_s_bos); ++ IFC_GET_CLR(fte_match_set_misc2, mask, inner_first_mpls.mpls_s_bos, clr); + spec->inner_first_mpls_ttl = +- MLX5_GET(fte_match_set_misc2, mask, inner_first_mpls.mpls_ttl); ++ IFC_GET_CLR(fte_match_set_misc2, mask, inner_first_mpls.mpls_ttl, clr); + spec->outer_first_mpls_over_gre_label = +- MLX5_GET(fte_match_set_misc2, mask, outer_first_mpls_over_gre.mpls_label); ++ IFC_GET_CLR(fte_match_set_misc2, mask, outer_first_mpls_over_gre.mpls_label, clr); + spec->outer_first_mpls_over_gre_exp = +- MLX5_GET(fte_match_set_misc2, mask, outer_first_mpls_over_gre.mpls_exp); ++ IFC_GET_CLR(fte_match_set_misc2, mask, outer_first_mpls_over_gre.mpls_exp, clr); + spec->outer_first_mpls_over_gre_s_bos = +- MLX5_GET(fte_match_set_misc2, mask, outer_first_mpls_over_gre.mpls_s_bos); ++ IFC_GET_CLR(fte_match_set_misc2, mask, outer_first_mpls_over_gre.mpls_s_bos, clr); + spec->outer_first_mpls_over_gre_ttl = +- MLX5_GET(fte_match_set_misc2, mask, outer_first_mpls_over_gre.mpls_ttl); ++ IFC_GET_CLR(fte_match_set_misc2, mask, outer_first_mpls_over_gre.mpls_ttl, clr); + spec->outer_first_mpls_over_udp_label = +- MLX5_GET(fte_match_set_misc2, mask, outer_first_mpls_over_udp.mpls_label); ++ IFC_GET_CLR(fte_match_set_misc2, mask, outer_first_mpls_over_udp.mpls_label, clr); + spec->outer_first_mpls_over_udp_exp = +- MLX5_GET(fte_match_set_misc2, mask, outer_first_mpls_over_udp.mpls_exp); ++ IFC_GET_CLR(fte_match_set_misc2, mask, outer_first_mpls_over_udp.mpls_exp, clr); + spec->outer_first_mpls_over_udp_s_bos = +- MLX5_GET(fte_match_set_misc2, mask, outer_first_mpls_over_udp.mpls_s_bos); ++ IFC_GET_CLR(fte_match_set_misc2, mask, outer_first_mpls_over_udp.mpls_s_bos, clr); + spec->outer_first_mpls_over_udp_ttl = +- MLX5_GET(fte_match_set_misc2, mask, outer_first_mpls_over_udp.mpls_ttl); +- spec->metadata_reg_c_7 = MLX5_GET(fte_match_set_misc2, mask, metadata_reg_c_7); +- spec->metadata_reg_c_6 = MLX5_GET(fte_match_set_misc2, mask, metadata_reg_c_6); +- spec->metadata_reg_c_5 = MLX5_GET(fte_match_set_misc2, mask, metadata_reg_c_5); +- spec->metadata_reg_c_4 = MLX5_GET(fte_match_set_misc2, mask, metadata_reg_c_4); +- spec->metadata_reg_c_3 = MLX5_GET(fte_match_set_misc2, mask, metadata_reg_c_3); +- spec->metadata_reg_c_2 = MLX5_GET(fte_match_set_misc2, mask, metadata_reg_c_2); +- spec->metadata_reg_c_1 = MLX5_GET(fte_match_set_misc2, mask, metadata_reg_c_1); +- spec->metadata_reg_c_0 = MLX5_GET(fte_match_set_misc2, mask, metadata_reg_c_0); +- spec->metadata_reg_a = MLX5_GET(fte_match_set_misc2, mask, metadata_reg_a); +-} +- +-static void dr_ste_copy_mask_misc3(char *mask, struct mlx5dr_match_misc3 *spec) +-{ +- spec->inner_tcp_seq_num = MLX5_GET(fte_match_set_misc3, mask, inner_tcp_seq_num); +- spec->outer_tcp_seq_num = MLX5_GET(fte_match_set_misc3, mask, outer_tcp_seq_num); +- spec->inner_tcp_ack_num = MLX5_GET(fte_match_set_misc3, mask, inner_tcp_ack_num); +- spec->outer_tcp_ack_num = MLX5_GET(fte_match_set_misc3, mask, outer_tcp_ack_num); ++ IFC_GET_CLR(fte_match_set_misc2, mask, outer_first_mpls_over_udp.mpls_ttl, clr); ++ spec->metadata_reg_c_7 = IFC_GET_CLR(fte_match_set_misc2, mask, metadata_reg_c_7, clr); ++ spec->metadata_reg_c_6 = IFC_GET_CLR(fte_match_set_misc2, mask, metadata_reg_c_6, clr); ++ spec->metadata_reg_c_5 = IFC_GET_CLR(fte_match_set_misc2, mask, metadata_reg_c_5, clr); ++ spec->metadata_reg_c_4 = IFC_GET_CLR(fte_match_set_misc2, mask, metadata_reg_c_4, clr); ++ spec->metadata_reg_c_3 = IFC_GET_CLR(fte_match_set_misc2, mask, metadata_reg_c_3, clr); ++ spec->metadata_reg_c_2 = IFC_GET_CLR(fte_match_set_misc2, mask, metadata_reg_c_2, clr); ++ spec->metadata_reg_c_1 = IFC_GET_CLR(fte_match_set_misc2, mask, metadata_reg_c_1, clr); ++ spec->metadata_reg_c_0 = IFC_GET_CLR(fte_match_set_misc2, mask, metadata_reg_c_0, clr); ++ spec->metadata_reg_a = IFC_GET_CLR(fte_match_set_misc2, mask, metadata_reg_a, clr); ++} ++ ++static void dr_ste_copy_mask_misc3(char *mask, struct mlx5dr_match_misc3 *spec, bool clr) ++{ ++ spec->inner_tcp_seq_num = IFC_GET_CLR(fte_match_set_misc3, mask, inner_tcp_seq_num, clr); ++ spec->outer_tcp_seq_num = IFC_GET_CLR(fte_match_set_misc3, mask, outer_tcp_seq_num, clr); ++ spec->inner_tcp_ack_num = IFC_GET_CLR(fte_match_set_misc3, mask, inner_tcp_ack_num, clr); ++ spec->outer_tcp_ack_num = IFC_GET_CLR(fte_match_set_misc3, mask, outer_tcp_ack_num, clr); + spec->outer_vxlan_gpe_vni = +- MLX5_GET(fte_match_set_misc3, mask, outer_vxlan_gpe_vni); ++ IFC_GET_CLR(fte_match_set_misc3, mask, outer_vxlan_gpe_vni, clr); + spec->outer_vxlan_gpe_next_protocol = +- MLX5_GET(fte_match_set_misc3, mask, outer_vxlan_gpe_next_protocol); ++ IFC_GET_CLR(fte_match_set_misc3, mask, outer_vxlan_gpe_next_protocol, clr); + spec->outer_vxlan_gpe_flags = +- MLX5_GET(fte_match_set_misc3, mask, outer_vxlan_gpe_flags); +- spec->icmpv4_header_data = MLX5_GET(fte_match_set_misc3, mask, icmp_header_data); ++ IFC_GET_CLR(fte_match_set_misc3, mask, outer_vxlan_gpe_flags, clr); ++ spec->icmpv4_header_data = IFC_GET_CLR(fte_match_set_misc3, mask, icmp_header_data, clr); + spec->icmpv6_header_data = +- MLX5_GET(fte_match_set_misc3, mask, icmpv6_header_data); +- spec->icmpv4_type = MLX5_GET(fte_match_set_misc3, mask, icmp_type); +- spec->icmpv4_code = MLX5_GET(fte_match_set_misc3, mask, icmp_code); +- spec->icmpv6_type = MLX5_GET(fte_match_set_misc3, mask, icmpv6_type); +- spec->icmpv6_code = MLX5_GET(fte_match_set_misc3, mask, icmpv6_code); ++ IFC_GET_CLR(fte_match_set_misc3, mask, icmpv6_header_data, clr); ++ spec->icmpv4_type = IFC_GET_CLR(fte_match_set_misc3, mask, icmp_type, clr); ++ spec->icmpv4_code = IFC_GET_CLR(fte_match_set_misc3, mask, icmp_code, clr); ++ spec->icmpv6_type = IFC_GET_CLR(fte_match_set_misc3, mask, icmpv6_type, clr); ++ spec->icmpv6_code = IFC_GET_CLR(fte_match_set_misc3, mask, icmpv6_code, clr); + spec->geneve_tlv_option_0_data = +- MLX5_GET(fte_match_set_misc3, mask, geneve_tlv_option_0_data); +- spec->gtpu_msg_flags = MLX5_GET(fte_match_set_misc3, mask, gtpu_msg_flags); +- spec->gtpu_msg_type = MLX5_GET(fte_match_set_misc3, mask, gtpu_msg_type); +- spec->gtpu_teid = MLX5_GET(fte_match_set_misc3, mask, gtpu_teid); +- spec->gtpu_dw_0 = MLX5_GET(fte_match_set_misc3, mask, gtpu_dw_0); +- spec->gtpu_dw_2 = MLX5_GET(fte_match_set_misc3, mask, gtpu_dw_2); ++ IFC_GET_CLR(fte_match_set_misc3, mask, geneve_tlv_option_0_data, clr); ++ spec->gtpu_teid = IFC_GET_CLR(fte_match_set_misc3, mask, gtpu_teid, clr); ++ spec->gtpu_msg_flags = IFC_GET_CLR(fte_match_set_misc3, mask, gtpu_msg_flags, clr); ++ spec->gtpu_msg_type = IFC_GET_CLR(fte_match_set_misc3, mask, gtpu_msg_type, clr); ++ spec->gtpu_dw_0 = IFC_GET_CLR(fte_match_set_misc3, mask, gtpu_dw_0, clr); ++ spec->gtpu_dw_2 = IFC_GET_CLR(fte_match_set_misc3, mask, gtpu_dw_2, clr); + spec->gtpu_first_ext_dw_0 = +- MLX5_GET(fte_match_set_misc3, mask, gtpu_first_ext_dw_0); ++ IFC_GET_CLR(fte_match_set_misc3, mask, gtpu_first_ext_dw_0, clr); + } + +-static void dr_ste_copy_mask_misc4(char *mask, struct mlx5dr_match_misc4 *spec) ++static void dr_ste_copy_mask_misc4(char *mask, struct mlx5dr_match_misc4 *spec, bool clr) + { + spec->prog_sample_field_id_0 = +- MLX5_GET(fte_match_set_misc4, mask, prog_sample_field_id_0); ++ IFC_GET_CLR(fte_match_set_misc4, mask, prog_sample_field_id_0, clr); + spec->prog_sample_field_value_0 = +- MLX5_GET(fte_match_set_misc4, mask, prog_sample_field_value_0); ++ IFC_GET_CLR(fte_match_set_misc4, mask, prog_sample_field_value_0, clr); + spec->prog_sample_field_id_1 = +- MLX5_GET(fte_match_set_misc4, mask, prog_sample_field_id_1); ++ IFC_GET_CLR(fte_match_set_misc4, mask, prog_sample_field_id_1, clr); + spec->prog_sample_field_value_1 = +- MLX5_GET(fte_match_set_misc4, mask, prog_sample_field_value_1); ++ IFC_GET_CLR(fte_match_set_misc4, mask, prog_sample_field_value_1, clr); + spec->prog_sample_field_id_2 = +- MLX5_GET(fte_match_set_misc4, mask, prog_sample_field_id_2); ++ IFC_GET_CLR(fte_match_set_misc4, mask, prog_sample_field_id_2, clr); + spec->prog_sample_field_value_2 = +- MLX5_GET(fte_match_set_misc4, mask, prog_sample_field_value_2); ++ IFC_GET_CLR(fte_match_set_misc4, mask, prog_sample_field_value_2, clr); + spec->prog_sample_field_id_3 = +- MLX5_GET(fte_match_set_misc4, mask, prog_sample_field_id_3); ++ IFC_GET_CLR(fte_match_set_misc4, mask, prog_sample_field_id_3, clr); + spec->prog_sample_field_value_3 = +- MLX5_GET(fte_match_set_misc4, mask, prog_sample_field_value_3); ++ IFC_GET_CLR(fte_match_set_misc4, mask, prog_sample_field_value_3, clr); + } + + void mlx5dr_ste_copy_param(u8 match_criteria, + struct mlx5dr_match_param *set_param, +- struct mlx5dr_match_parameters *mask) ++ struct mlx5dr_match_parameters *mask, ++ bool clr) + { + u8 tail_param[MLX5_ST_SZ_BYTES(fte_match_set_lyr_2_4)] = {}; + u8 *data = (u8 *)mask->match_buf; +@@ -911,7 +927,7 @@ void mlx5dr_ste_copy_param(u8 match_criteria, + } else { + buff = mask->match_buf; + } +- dr_ste_copy_mask_spec(buff, &set_param->outer); ++ dr_ste_copy_mask_spec(buff, &set_param->outer, clr); + } + param_location = sizeof(struct mlx5dr_match_spec); + +@@ -924,7 +940,7 @@ void mlx5dr_ste_copy_param(u8 match_criteria, + } else { + buff = data + param_location; + } +- dr_ste_copy_mask_misc(buff, &set_param->misc); ++ dr_ste_copy_mask_misc(buff, &set_param->misc, clr); + } + param_location += sizeof(struct mlx5dr_match_misc); + +@@ -937,7 +953,7 @@ void mlx5dr_ste_copy_param(u8 match_criteria, + } else { + buff = data + param_location; + } +- dr_ste_copy_mask_spec(buff, &set_param->inner); ++ dr_ste_copy_mask_spec(buff, &set_param->inner, clr); + } + param_location += sizeof(struct mlx5dr_match_spec); + +@@ -950,7 +966,7 @@ void mlx5dr_ste_copy_param(u8 match_criteria, + } else { + buff = data + param_location; + } +- dr_ste_copy_mask_misc2(buff, &set_param->misc2); ++ dr_ste_copy_mask_misc2(buff, &set_param->misc2, clr); + } + + param_location += sizeof(struct mlx5dr_match_misc2); +@@ -964,7 +980,7 @@ void mlx5dr_ste_copy_param(u8 match_criteria, + } else { + buff = data + param_location; + } +- dr_ste_copy_mask_misc3(buff, &set_param->misc3); ++ dr_ste_copy_mask_misc3(buff, &set_param->misc3, clr); + } + + param_location += sizeof(struct mlx5dr_match_misc3); +@@ -978,7 +994,7 @@ void mlx5dr_ste_copy_param(u8 match_criteria, + } else { + buff = data + param_location; + } +- dr_ste_copy_mask_misc4(buff, &set_param->misc4); ++ dr_ste_copy_mask_misc4(buff, &set_param->misc4, clr); + } + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +index 211e8e224909..7a2bfef059b0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +@@ -1255,7 +1255,8 @@ void mlx5dr_ste_set_formatted_ste(struct mlx5dr_ste_ctx *ste_ctx, + struct mlx5dr_htbl_connect_info *connect_info); + void mlx5dr_ste_copy_param(u8 match_criteria, + struct mlx5dr_match_param *set_param, +- struct mlx5dr_match_parameters *mask); ++ struct mlx5dr_match_parameters *mask, ++ bool clear); + + struct mlx5dr_qp { + struct mlx5_core_dev *mdev; +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0041-net-mlx5-DR-Fix-check-for-unsupported-fields-in-matc.patch b/SPECS/kernel-hci/0041-net-mlx5-DR-Fix-check-for-unsupported-fields-in-matc.patch new file mode 100644 index 00000000000..09ba940d6a5 --- /dev/null +++ b/SPECS/kernel-hci/0041-net-mlx5-DR-Fix-check-for-unsupported-fields-in-matc.patch @@ -0,0 +1,42 @@ +From 97859e6a1e23342d1b4a0d599900fb7b12a48166 Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Wed, 3 Nov 2021 17:51:03 +0200 +Subject: [PATCH 31/58] net/mlx5: DR, Fix check for unsupported fields in match + param + +The existing loop doesn't cast the buffer while scanning it, which +results in out-of-bounds read and failure to create the matcher. + +Fixes: 941f19798a11 ("net/mlx5: DR, Add check for unsupported fields in match param") +Signed-off-by: Yevgeny Kliteynik +Signed-off-by: Saeed Mahameed +Change-Id: Iea57946e92324c3535739353b280454d37fce7e4 +--- + .../ethernet/mellanox/mlx5/core/steering/dr_matcher.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c +index ce7679893544..1a1494a965f9 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c +@@ -912,11 +912,12 @@ static int dr_matcher_init(struct mlx5dr_matcher *matcher, + + /* Check that all mask data was consumed */ + for (i = 0; i < consumed_mask.match_sz; i++) { +- if (consumed_mask.match_buf[i]) { +- mlx5dr_dbg(dmn, "Match param mask contains unsupported parameters\n"); +- ret = -EOPNOTSUPP; +- goto free_consumed_mask; +- } ++ if (!((u8 *)consumed_mask.match_buf)[i]) ++ continue; ++ ++ mlx5dr_dbg(dmn, "Match param mask contains unsupported parameters\n"); ++ ret = -EOPNOTSUPP; ++ goto free_consumed_mask; + } + + ret = 0; +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0042-net-mlx5-DR-Fix-error-flow-in-creating-matcher.patch b/SPECS/kernel-hci/0042-net-mlx5-DR-Fix-error-flow-in-creating-matcher.patch new file mode 100644 index 00000000000..654b1dcd01d --- /dev/null +++ b/SPECS/kernel-hci/0042-net-mlx5-DR-Fix-error-flow-in-creating-matcher.patch @@ -0,0 +1,103 @@ +From 367ac738488c0ddfa4066c89f1b72d78e05587e6 Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Tue, 14 Dec 2021 12:56:18 +0200 +Subject: [PATCH 33/58] net/mlx5: DR, Fix error flow in creating matcher + +The error code of nic matcher init functions wasn't checked. +This patch improves the matcher init function and fix error flow bug: +the handling of match parameter is moved into a separate function +and error flow is simplified. + +Signed-off-by: Yevgeny Kliteynik +Change-Id: I30724ffd28dca2c450b0de318acb9566c1f6b549 +--- + .../mellanox/mlx5/core/steering/dr_matcher.c | 53 +++++++++++-------- + 1 file changed, 32 insertions(+), 21 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c +index 1a1494a965f9..01213045a8a8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c +@@ -860,13 +860,12 @@ static int dr_matcher_init_fdb(struct mlx5dr_matcher *matcher) + return ret; + } + +-static int dr_matcher_init(struct mlx5dr_matcher *matcher, +- struct mlx5dr_match_parameters *mask) ++static int dr_matcher_copy_param(struct mlx5dr_matcher *matcher, ++ struct mlx5dr_match_parameters *mask) + { ++ struct mlx5dr_domain *dmn = matcher->tbl->dmn; + struct mlx5dr_match_parameters consumed_mask; +- struct mlx5dr_table *tbl = matcher->tbl; +- struct mlx5dr_domain *dmn = tbl->dmn; +- int i, ret; ++ int i, ret = 0; + + if (matcher->match_criteria >= DR_MATCHER_CRITERIA_MAX) { + mlx5dr_err(dmn, "Invalid match criteria attribute\n"); +@@ -886,10 +885,36 @@ static int dr_matcher_init(struct mlx5dr_matcher *matcher, + consumed_mask.match_sz = mask->match_sz; + memcpy(consumed_mask.match_buf, mask->match_buf, mask->match_sz); + mlx5dr_ste_copy_param(matcher->match_criteria, +- &matcher->mask, &consumed_mask, +- true); ++ &matcher->mask, &consumed_mask, true); ++ ++ /* Check that all mask data was consumed */ ++ for (i = 0; i < consumed_mask.match_sz; i++) { ++ if (!((u8 *)consumed_mask.match_buf)[i]) ++ continue; ++ ++ mlx5dr_dbg(dmn, ++ "Match param mask contains unsupported parameters\n"); ++ ret = -EOPNOTSUPP; ++ break; ++ } ++ ++ kfree(consumed_mask.match_buf); + } + ++ return ret; ++} ++ ++static int dr_matcher_init(struct mlx5dr_matcher *matcher, ++ struct mlx5dr_match_parameters *mask) ++{ ++ struct mlx5dr_table *tbl = matcher->tbl; ++ struct mlx5dr_domain *dmn = tbl->dmn; ++ int ret; ++ ++ ret = dr_matcher_copy_param(matcher, mask); ++ if (ret) ++ return ret; ++ + switch (dmn->type) { + case MLX5DR_DOMAIN_TYPE_NIC_RX: + matcher->rx.nic_tbl = &tbl->rx; +@@ -907,22 +932,8 @@ static int dr_matcher_init(struct mlx5dr_matcher *matcher, + default: + WARN_ON(true); + ret = -EINVAL; +- goto free_consumed_mask; +- } +- +- /* Check that all mask data was consumed */ +- for (i = 0; i < consumed_mask.match_sz; i++) { +- if (!((u8 *)consumed_mask.match_buf)[i]) +- continue; +- +- mlx5dr_dbg(dmn, "Match param mask contains unsupported parameters\n"); +- ret = -EOPNOTSUPP; +- goto free_consumed_mask; + } + +- ret = 0; +-free_consumed_mask: +- kfree(consumed_mask.match_buf); + return ret; + } + +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0043-net-mlx5-DR-Fix-lower-case-macro-prefix-mlx5_-to-MLX.patch b/SPECS/kernel-hci/0043-net-mlx5-DR-Fix-lower-case-macro-prefix-mlx5_-to-MLX.patch new file mode 100644 index 00000000000..7695056cb4e --- /dev/null +++ b/SPECS/kernel-hci/0043-net-mlx5-DR-Fix-lower-case-macro-prefix-mlx5_-to-MLX.patch @@ -0,0 +1,59 @@ +From 7757e47ea2b7e94eab8287b09ff7c044bd48c2d6 Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Thu, 18 Nov 2021 02:32:37 +0200 +Subject: [PATCH 34/58] net/mlx5: DR, Fix lower case macro prefix "mlx5_" to + "MLX5_" + +Macros prefix should be capital letters - fix the prefix in +mlx5_FLEX_PARSER_MPLS_OVER_UDP_ENABLED. + +Signed-off-by: Yevgeny Kliteynik +Change-Id: I39ce594f9d5b7e591855f982cdf6c350bc12b2bf +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c | 2 +- + include/linux/mlx5/mlx5_ifc.h | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c +index 2f2d571b6143..868dd83c7329 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c +@@ -152,7 +152,7 @@ int mlx5dr_cmd_query_device(struct mlx5_core_dev *mdev, + caps->flex_parser_id_mpls_over_gre = + MLX5_CAP_GEN(mdev, flex_parser_id_outer_first_mpls_over_gre); + +- if (caps->flex_protocols & mlx5_FLEX_PARSER_MPLS_OVER_UDP_ENABLED) ++ if (caps->flex_protocols & MLX5_FLEX_PARSER_MPLS_OVER_UDP_ENABLED) + caps->flex_parser_id_mpls_over_udp = + MLX5_CAP_GEN(mdev, flex_parser_id_outer_first_mpls_over_udp_label); + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c +index 01213045a8a8..7e1b3de7731c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c +@@ -347,7 +347,7 @@ static bool dr_mask_is_tnl_mpls_over_gre(struct mlx5dr_match_param *mask, + + static int dr_matcher_supp_tnl_mpls_over_udp(struct mlx5dr_cmd_caps *caps) + { +- return caps->flex_protocols & mlx5_FLEX_PARSER_MPLS_OVER_UDP_ENABLED; ++ return caps->flex_protocols & MLX5_FLEX_PARSER_MPLS_OVER_UDP_ENABLED; + } + + static bool dr_mask_is_tnl_mpls_over_udp(struct mlx5dr_match_param *mask, +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h +index 29e1e014e718..84e6e5cdd3b2 100644 +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -1275,7 +1275,7 @@ enum { + enum { + MLX5_FLEX_PARSER_GENEVE_ENABLED = 1 << 3, + MLX5_FLEX_PARSER_MPLS_OVER_GRE_ENABLED = 1 << 4, +- mlx5_FLEX_PARSER_MPLS_OVER_UDP_ENABLED = 1 << 5, ++ MLX5_FLEX_PARSER_MPLS_OVER_UDP_ENABLED = 1 << 5, + MLX5_FLEX_PARSER_VXLAN_GPE_ENABLED = 1 << 7, + MLX5_FLEX_PARSER_ICMP_V4_ENABLED = 1 << 8, + MLX5_FLEX_PARSER_ICMP_V6_ENABLED = 1 << 9, +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0044-net-mlx5-DR-Remove-unused-struct-member-in-matcher.patch b/SPECS/kernel-hci/0044-net-mlx5-DR-Remove-unused-struct-member-in-matcher.patch new file mode 100644 index 00000000000..7643d4ae671 --- /dev/null +++ b/SPECS/kernel-hci/0044-net-mlx5-DR-Remove-unused-struct-member-in-matcher.patch @@ -0,0 +1,26 @@ +From 5e1c53b044f09820c7c3f89db2fa65419a3c73f7 Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Thu, 11 Nov 2021 00:52:59 +0200 +Subject: [PATCH 35/58] net/mlx5: DR, Remove unused struct member in matcher + +Signed-off-by: Yevgeny Kliteynik +Change-Id: I0dba991b5d3637a17dc7d542b84f35f8db089ab0 +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +index 76dc582fffba..ac1a736c625d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +@@ -897,7 +897,6 @@ struct mlx5dr_matcher { + struct mlx5dr_match_param mask; + u8 match_criteria; + refcount_t refcount; +- struct mlx5dv_flow_matcher *dv_matcher; + }; + + struct mlx5dr_ste_action_modify_field { +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0045-net-mlx5-DR-Add-check-for-flex-parser-ID-value.patch b/SPECS/kernel-hci/0045-net-mlx5-DR-Add-check-for-flex-parser-ID-value.patch new file mode 100644 index 00000000000..a8ba028cd79 --- /dev/null +++ b/SPECS/kernel-hci/0045-net-mlx5-DR-Add-check-for-flex-parser-ID-value.patch @@ -0,0 +1,46 @@ +From e0cda7c293cf9dd2736897a7ae1a75dea2350c99 Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Thu, 11 Nov 2021 00:22:29 +0200 +Subject: [PATCH 37/58] net/mlx5: DR, Add check for flex parser ID value + +Allow only legal values for flex parser ID - values from 0 to 7. +For other values skip the parser, and as a result the matcher creation +will fail for using invalid flex parser ID. + +Signed-off-by: Hamdan Igbaria +Signed-off-by: Yevgeny Kliteynik +Change-Id: Ib8b40cccde8e8dfe8dd3381a0511905d42a4492c +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c +index 9c704bce3c12..25de50daf263 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c +@@ -1703,7 +1703,7 @@ static void dr_ste_v0_set_flex_parser(u32 *misc4_field_id, + u32 id = *misc4_field_id; + u8 *parser_ptr; + +- if (parser_is_used[id]) ++ if (id >= DR_NUM_OF_FLEX_PARSERS || parser_is_used[id]) + return; + + parser_is_used[id] = true; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c +index b2481c99da79..282c4865d6ab 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c +@@ -1831,7 +1831,7 @@ static void dr_ste_v1_set_flex_parser(u32 *misc4_field_id, + u32 id = *misc4_field_id; + u8 *parser_ptr; + +- if (parser_is_used[id]) ++ if (id >= DR_NUM_OF_FLEX_PARSERS || parser_is_used[id]) + return; + + parser_is_used[id] = true; +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0046-net-mlx5-DR-Add-missing-reserved-fields-to-dr_match_.patch b/SPECS/kernel-hci/0046-net-mlx5-DR-Add-missing-reserved-fields-to-dr_match_.patch new file mode 100644 index 00000000000..40d5e71b47c --- /dev/null +++ b/SPECS/kernel-hci/0046-net-mlx5-DR-Add-missing-reserved-fields-to-dr_match_.patch @@ -0,0 +1,341 @@ +From 6b81fbd4b3c8f4c0492217a8815e52188d8fb75a Mon Sep 17 00:00:00 2001 +From: Muhammad Sammar +Date: Mon, 5 Jul 2021 15:37:56 +0300 +Subject: [PATCH 38/58] net/mlx5: DR, Add missing reserved fields to + dr_match_param + +Add the reserved fields to dr_match_param and arrange +as mlx5_ifc_dr_match_param_bits. + +Signed-off-by: Muhammad Sammar +Change-Id: Id220c19506e94f0d9747a435ded2329261d1cb9d +--- + .../mellanox/mlx5/core/steering/dr_types.h | 213 ++++++++++-------- + 1 file changed, 124 insertions(+), 89 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +index dbefcfa0d508..a5c548d3fce3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +@@ -494,57 +494,64 @@ struct mlx5dr_match_spec { + /* Incoming packet Ethertype - this is the Ethertype + * following the last VLAN tag of the packet + */ +- u32 ethertype:16; + u32 smac_15_0:16; /* Source MAC address of incoming packet */ ++ u32 ethertype:16; ++ + u32 dmac_47_16; /* Destination MAC address of incoming packet */ +- /* VLAN ID of first VLAN tag in the incoming packet. ++ ++ u32 dmac_15_0:16; /* Destination MAC address of incoming packet */ ++ /* Priority of first VLAN tag in the incoming packet. + * Valid only when cvlan_tag==1 or svlan_tag==1 + */ +- u32 first_vid:12; ++ u32 first_prio:3; + /* CFI bit of first VLAN tag in the incoming packet. + * Valid only when cvlan_tag==1 or svlan_tag==1 + */ + u32 first_cfi:1; +- /* Priority of first VLAN tag in the incoming packet. ++ /* VLAN ID of first VLAN tag in the incoming packet. + * Valid only when cvlan_tag==1 or svlan_tag==1 + */ +- u32 first_prio:3; +- u32 dmac_15_0:16; /* Destination MAC address of incoming packet */ +- /* TCP flags. ;Bit 0: FIN;Bit 1: SYN;Bit 2: RST;Bit 3: PSH;Bit 4: ACK; +- * Bit 5: URG;Bit 6: ECE;Bit 7: CWR;Bit 8: NS ++ u32 first_vid:12; ++ ++ u32 ip_protocol:8; /* IP protocol */ ++ /* Differentiated Services Code Point derived from ++ * Traffic Class/TOS field of IPv6/v4 + */ +- u32 tcp_flags:9; +- u32 ip_version:4; /* IP version */ +- u32 frag:1; /* Packet is an IP fragment */ +- /* The first vlan in the packet is s-vlan (0x8a88). +- * cvlan_tag and svlan_tag cannot be set together ++ u32 ip_dscp:6; ++ /* Explicit Congestion Notification derived from ++ * Traffic Class/TOS field of IPv6/v4 + */ +- u32 svlan_tag:1; ++ u32 ip_ecn:2; + /* The first vlan in the packet is c-vlan (0x8100). + * cvlan_tag and svlan_tag cannot be set together + */ + u32 cvlan_tag:1; +- /* Explicit Congestion Notification derived from +- * Traffic Class/TOS field of IPv6/v4 ++ /* The first vlan in the packet is s-vlan (0x8a88). ++ * cvlan_tag and svlan_tag cannot be set together + */ +- u32 ip_ecn:2; +- /* Differentiated Services Code Point derived from +- * Traffic Class/TOS field of IPv6/v4 ++ u32 svlan_tag:1; ++ u32 frag:1; /* Packet is an IP fragment */ ++ u32 ip_version:4; /* IP version */ ++ /* TCP flags. ;Bit 0: FIN;Bit 1: SYN;Bit 2: RST;Bit 3: PSH;Bit 4: ACK; ++ * Bit 5: URG;Bit 6: ECE;Bit 7: CWR;Bit 8: NS + */ +- u32 ip_dscp:6; +- u32 ip_protocol:8; /* IP protocol */ ++ u32 tcp_flags:9; ++ ++ /* TCP source port.;tcp and udp sport/dport are mutually exclusive */ ++ u32 tcp_sport:16; + /* TCP destination port. + * tcp and udp sport/dport are mutually exclusive + */ + u32 tcp_dport:16; +- /* TCP source port.;tcp and udp sport/dport are mutually exclusive */ +- u32 tcp_sport:16; ++ ++ u32 reserved_auto1:24; + u32 ttl_hoplimit:8; +- u32 reserved:24; +- /* UDP destination port.;tcp and udp sport/dport are mutually exclusive */ +- u32 udp_dport:16; ++ + /* UDP source port.;tcp and udp sport/dport are mutually exclusive */ + u32 udp_sport:16; ++ /* UDP destination port.;tcp and udp sport/dport are mutually exclusive */ ++ u32 udp_dport:16; ++ + /* IPv6 source address of incoming packets + * For IPv4 address use bits 31:0 (rest of the bits are reserved) + * This field should be qualified by an appropriate ethertype +@@ -588,96 +595,113 @@ struct mlx5dr_match_spec { + }; + + struct mlx5dr_match_misc { +- u32 source_sqn:24; /* Source SQN */ +- u32 source_vhca_port:4; +- /* used with GRE, sequence number exist when gre_s_present == 1 */ +- u32 gre_s_present:1; +- /* used with GRE, key exist when gre_k_present == 1 */ +- u32 gre_k_present:1; +- u32 reserved_auto1:1; + /* used with GRE, checksum exist when gre_c_present == 1 */ + u32 gre_c_present:1; ++ u32 reserved_auto1:1; ++ /* used with GRE, key exist when gre_k_present == 1 */ ++ u32 gre_k_present:1; ++ /* used with GRE, sequence number exist when gre_s_present == 1 */ ++ u32 gre_s_present:1; ++ u32 source_vhca_port:4; ++ u32 source_sqn:24; /* Source SQN */ ++ ++ u32 source_eswitch_owner_vhca_id:16; + /* Source port.;0xffff determines wire port */ + u32 source_port:16; +- u32 source_eswitch_owner_vhca_id:16; +- /* VLAN ID of first VLAN tag the inner header of the incoming packet. +- * Valid only when inner_second_cvlan_tag ==1 or inner_second_svlan_tag ==1 +- */ +- u32 inner_second_vid:12; +- /* CFI bit of first VLAN tag in the inner header of the incoming packet. +- * Valid only when inner_second_cvlan_tag ==1 or inner_second_svlan_tag ==1 +- */ +- u32 inner_second_cfi:1; +- /* Priority of second VLAN tag in the inner header of the incoming packet. +- * Valid only when inner_second_cvlan_tag ==1 or inner_second_svlan_tag ==1 +- */ +- u32 inner_second_prio:3; +- /* VLAN ID of first VLAN tag the outer header of the incoming packet. ++ ++ /* Priority of second VLAN tag in the outer header of the incoming packet. + * Valid only when outer_second_cvlan_tag ==1 or outer_second_svlan_tag ==1 + */ +- u32 outer_second_vid:12; ++ u32 outer_second_prio:3; + /* CFI bit of first VLAN tag in the outer header of the incoming packet. + * Valid only when outer_second_cvlan_tag ==1 or outer_second_svlan_tag ==1 + */ + u32 outer_second_cfi:1; +- /* Priority of second VLAN tag in the outer header of the incoming packet. ++ /* VLAN ID of first VLAN tag the outer header of the incoming packet. + * Valid only when outer_second_cvlan_tag ==1 or outer_second_svlan_tag ==1 + */ +- u32 outer_second_prio:3; +- u32 gre_protocol:16; /* GRE Protocol (outer) */ +- u32 reserved_auto3:12; +- /* The second vlan in the inner header of the packet is s-vlan (0x8a88). +- * inner_second_cvlan_tag and inner_second_svlan_tag cannot be set together ++ u32 outer_second_vid:12; ++ /* Priority of second VLAN tag in the inner header of the incoming packet. ++ * Valid only when inner_second_cvlan_tag ==1 or inner_second_svlan_tag ==1 + */ +- u32 inner_second_svlan_tag:1; +- /* The second vlan in the outer header of the packet is s-vlan (0x8a88). ++ u32 inner_second_prio:3; ++ /* CFI bit of first VLAN tag in the inner header of the incoming packet. ++ * Valid only when inner_second_cvlan_tag ==1 or inner_second_svlan_tag ==1 ++ */ ++ u32 inner_second_cfi:1; ++ /* VLAN ID of first VLAN tag the inner header of the incoming packet. ++ * Valid only when inner_second_cvlan_tag ==1 or inner_second_svlan_tag ==1 ++ */ ++ u32 inner_second_vid:12; ++ ++ u32 outer_second_cvlan_tag:1; ++ u32 inner_second_cvlan_tag:1; ++ /* The second vlan in the outer header of the packet is c-vlan (0x8100). + * outer_second_cvlan_tag and outer_second_svlan_tag cannot be set together + */ + u32 outer_second_svlan_tag:1; + /* The second vlan in the inner header of the packet is c-vlan (0x8100). + * inner_second_cvlan_tag and inner_second_svlan_tag cannot be set together + */ +- u32 inner_second_cvlan_tag:1; +- /* The second vlan in the outer header of the packet is c-vlan (0x8100). ++ u32 inner_second_svlan_tag:1; ++ /* The second vlan in the outer header of the packet is s-vlan (0x8a88). + * outer_second_cvlan_tag and outer_second_svlan_tag cannot be set together + */ +- u32 outer_second_cvlan_tag:1; +- u32 gre_key_l:8; /* GRE Key [7:0] (outer) */ ++ u32 reserved_auto2:12; ++ /* The second vlan in the inner header of the packet is s-vlan (0x8a88). ++ * inner_second_cvlan_tag and inner_second_svlan_tag cannot be set together ++ */ ++ u32 gre_protocol:16; /* GRE Protocol (outer) */ ++ + u32 gre_key_h:24; /* GRE Key[31:8] (outer) */ +- u32 reserved_auto4:8; ++ u32 gre_key_l:8; /* GRE Key [7:0] (outer) */ ++ + u32 vxlan_vni:24; /* VXLAN VNI (outer) */ +- u32 geneve_oam:1; /* GENEVE OAM field (outer) */ +- u32 reserved_auto5:7; ++ u32 reserved_auto3:8; ++ + u32 geneve_vni:24; /* GENEVE VNI field (outer) */ ++ u32 reserved_auto4:7; ++ u32 geneve_oam:1; /* GENEVE OAM field (outer) */ ++ ++ u32 reserved_auto5:12; + u32 outer_ipv6_flow_label:20; /* Flow label of incoming IPv6 packet (outer) */ ++ + u32 reserved_auto6:12; + u32 inner_ipv6_flow_label:20; /* Flow label of incoming IPv6 packet (inner) */ +- u32 reserved_auto7:12; +- u32 geneve_protocol_type:16; /* GENEVE protocol type (outer) */ ++ ++ u32 reserved_auto7:10; + u32 geneve_opt_len:6; /* GENEVE OptLen (outer) */ +- u32 reserved_auto8:10; ++ u32 geneve_protocol_type:16; /* GENEVE protocol type (outer) */ ++ ++ u32 reserved_auto8:8; + u32 bth_dst_qp:24; /* Destination QP in BTH header */ +- u32 reserved_auto9:8; +- u8 reserved_auto10[20]; ++ ++ u32 reserved_auto9; ++ u32 outer_esp_spi; ++ u32 reserved_auto10[3]; + }; + + struct mlx5dr_match_misc2 { +- u32 outer_first_mpls_ttl:8; /* First MPLS TTL (outer) */ +- u32 outer_first_mpls_s_bos:1; /* First MPLS S_BOS (outer) */ +- u32 outer_first_mpls_exp:3; /* First MPLS EXP (outer) */ + u32 outer_first_mpls_label:20; /* First MPLS LABEL (outer) */ +- u32 inner_first_mpls_ttl:8; /* First MPLS TTL (inner) */ +- u32 inner_first_mpls_s_bos:1; /* First MPLS S_BOS (inner) */ +- u32 inner_first_mpls_exp:3; /* First MPLS EXP (inner) */ ++ u32 outer_first_mpls_exp:3; /* First MPLS EXP (outer) */ ++ u32 outer_first_mpls_s_bos:1; /* First MPLS S_BOS (outer) */ ++ u32 outer_first_mpls_ttl:8; /* First MPLS TTL (outer) */ ++ + u32 inner_first_mpls_label:20; /* First MPLS LABEL (inner) */ +- u32 outer_first_mpls_over_gre_ttl:8; /* last MPLS TTL (outer) */ +- u32 outer_first_mpls_over_gre_s_bos:1; /* last MPLS S_BOS (outer) */ +- u32 outer_first_mpls_over_gre_exp:3; /* last MPLS EXP (outer) */ ++ u32 inner_first_mpls_exp:3; /* First MPLS EXP (inner) */ ++ u32 inner_first_mpls_s_bos:1; /* First MPLS S_BOS (inner) */ ++ u32 inner_first_mpls_ttl:8; /* First MPLS TTL (inner) */ ++ + u32 outer_first_mpls_over_gre_label:20; /* last MPLS LABEL (outer) */ +- u32 outer_first_mpls_over_udp_ttl:8; /* last MPLS TTL (outer) */ +- u32 outer_first_mpls_over_udp_s_bos:1; /* last MPLS S_BOS (outer) */ +- u32 outer_first_mpls_over_udp_exp:3; /* last MPLS EXP (outer) */ ++ u32 outer_first_mpls_over_gre_exp:3; /* last MPLS EXP (outer) */ ++ u32 outer_first_mpls_over_gre_s_bos:1; /* last MPLS S_BOS (outer) */ ++ u32 outer_first_mpls_over_gre_ttl:8; /* last MPLS TTL (outer) */ ++ + u32 outer_first_mpls_over_udp_label:20; /* last MPLS LABEL (outer) */ ++ u32 outer_first_mpls_over_udp_exp:3; /* last MPLS EXP (outer) */ ++ u32 outer_first_mpls_over_udp_s_bos:1; /* last MPLS S_BOS (outer) */ ++ u32 outer_first_mpls_over_udp_ttl:8; /* last MPLS TTL (outer) */ ++ + u32 metadata_reg_c_7; /* metadata_reg_c_7 */ + u32 metadata_reg_c_6; /* metadata_reg_c_6 */ + u32 metadata_reg_c_5; /* metadata_reg_c_5 */ +@@ -687,7 +711,7 @@ struct mlx5dr_match_misc2 { + u32 metadata_reg_c_1; /* metadata_reg_c_1 */ + u32 metadata_reg_c_0; /* metadata_reg_c_0 */ + u32 metadata_reg_a; /* metadata_reg_a */ +- u8 reserved_auto2[12]; ++ u32 reserved_auto1[3]; + }; + + struct mlx5dr_match_misc3 { +@@ -695,24 +719,34 @@ struct mlx5dr_match_misc3 { + u32 outer_tcp_seq_num; + u32 inner_tcp_ack_num; + u32 outer_tcp_ack_num; +- u32 outer_vxlan_gpe_vni:24; ++ + u32 reserved_auto1:8; +- u32 reserved_auto2:16; +- u32 outer_vxlan_gpe_flags:8; ++ u32 outer_vxlan_gpe_vni:24; ++ + u32 outer_vxlan_gpe_next_protocol:8; ++ u32 outer_vxlan_gpe_flags:8; ++ u32 reserved_auto2:16; ++ + u32 icmpv4_header_data; + u32 icmpv6_header_data; +- u8 icmpv6_code; +- u8 icmpv6_type; +- u8 icmpv4_code; ++ + u8 icmpv4_type; ++ u8 icmpv4_code; ++ u8 icmpv6_type; ++ u8 icmpv6_code; ++ + u32 geneve_tlv_option_0_data; +- u8 gtpu_msg_flags; +- u8 gtpu_msg_type; ++ + u32 gtpu_teid; ++ ++ u8 gtpu_msg_type; ++ u8 gtpu_msg_flags; ++ u32 reserved_auto3:16; ++ + u32 gtpu_dw_2; + u32 gtpu_first_ext_dw_0; + u32 gtpu_dw_0; ++ u32 reserved_auto4; + }; + + struct mlx5dr_match_misc4 { +@@ -724,6 +758,7 @@ struct mlx5dr_match_misc4 { + u32 prog_sample_field_id_2; + u32 prog_sample_field_value_3; + u32 prog_sample_field_id_3; ++ u32 reserved_auto1[8]; + }; + + struct mlx5dr_match_param { +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0047-net-mlx5-DR-Add-support-for-dumping-steering-info.patch b/SPECS/kernel-hci/0047-net-mlx5-DR-Add-support-for-dumping-steering-info.patch new file mode 100644 index 00000000000..bcddd04306c --- /dev/null +++ b/SPECS/kernel-hci/0047-net-mlx5-DR-Add-support-for-dumping-steering-info.patch @@ -0,0 +1,889 @@ +From 9222f0b27da22579bea02cd2f1bc87beced2ef8d Mon Sep 17 00:00:00 2001 +From: Muhammad Sammar +Date: Wed, 9 Dec 2020 13:40:50 +0200 +Subject: [PATCH] net/mlx5: DR, Add support for dumping steering info + +Extend mlx5 debugfs support to present Software Steering resources: +dr_domain including it's tables, matchers and rules. +The interface is read-only. While dump is being presented, new steering +rules cannot be inserted/deleted. + +The steering information is dumped in the CSV form with the following +format: + + ,, ,..., + +This data can be read at the following path: + + /sys/kernel/debug/mlx5//steering/fdb/ + +Example: + + # cat /sys/kernel/debug/mlx5/0000:82:00.0/steering/fdb/dmn_000018644 + 3100,0x55caa4621c50,0xee802,4,65533 + 3101,0x55caa4621c50,0xe0100008 + +Changes in V2: + - Reduce temp hex buffer size and avoid unnecessary memset + - Use bin2hex() instead of DIY loop + - Don't check debugfs functions return values + +Signed-off-by: Muhammad Sammar +Signed-off-by: Yevgeny Kliteynik +--- + .../net/ethernet/mellanox/mlx5/core/Makefile | 3 +- + .../mellanox/mlx5/core/steering/dr_dbg.c | 649 ++++++++++++++++++ + .../mellanox/mlx5/core/steering/dr_dbg.h | 15 + + .../mellanox/mlx5/core/steering/dr_domain.c | 3 +- + .../mellanox/mlx5/core/steering/dr_matcher.c | 1 + + .../mellanox/mlx5/core/steering/dr_rule.c | 9 +- + .../mellanox/mlx5/core/steering/dr_table.c | 3 + + .../mellanox/mlx5/core/steering/dr_types.h | 13 +- + 8 files changed, 688 insertions(+), 8 deletions(-) + create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/steering/dr_dbg.c + create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/steering/dr_dbg.h + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/Makefile b/drivers/net/ethernet/mellanox/mlx5/core/Makefile +index e592e0955c71..33904bc87efa 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/Makefile ++++ b/drivers/net/ethernet/mellanox/mlx5/core/Makefile +@@ -104,7 +104,8 @@ mlx5_core-$(CONFIG_MLX5_SW_STEERING) += steering/dr_domain.o steering/dr_table.o + steering/dr_ste.o steering/dr_send.o \ + steering/dr_ste_v0.o steering/dr_ste_v1.o \ + steering/dr_cmd.o steering/dr_fw.o \ +- steering/dr_action.o steering/fs_dr.o ++ steering/dr_action.o steering/fs_dr.o \ ++ steering/dr_dbg.o + # + # SF device + # +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_dbg.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_dbg.c +new file mode 100644 +index 000000000000..2784cd59fefe +--- /dev/null ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_dbg.c +@@ -0,0 +1,649 @@ ++// SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB ++// Copyright (c) 2021, NVIDIA CORPORATION & AFFILIATES. All rights reserved. ++ ++#include ++#include ++#include ++#include ++#include "dr_types.h" ++ ++#define DR_DBG_PTR_TO_ID(p) ((u64)(uintptr_t)(p) & 0xFFFFFFFFULL) ++ ++enum dr_dump_rec_type { ++ DR_DUMP_REC_TYPE_DOMAIN = 3000, ++ DR_DUMP_REC_TYPE_DOMAIN_INFO_FLEX_PARSER = 3001, ++ DR_DUMP_REC_TYPE_DOMAIN_INFO_DEV_ATTR = 3002, ++ DR_DUMP_REC_TYPE_DOMAIN_INFO_VPORT = 3003, ++ DR_DUMP_REC_TYPE_DOMAIN_INFO_CAPS = 3004, ++ DR_DUMP_REC_TYPE_DOMAIN_SEND_RING = 3005, ++ ++ DR_DUMP_REC_TYPE_TABLE = 3100, ++ DR_DUMP_REC_TYPE_TABLE_RX = 3101, ++ DR_DUMP_REC_TYPE_TABLE_TX = 3102, ++ ++ DR_DUMP_REC_TYPE_MATCHER = 3200, ++ DR_DUMP_REC_TYPE_MATCHER_MASK = 3201, ++ DR_DUMP_REC_TYPE_MATCHER_RX = 3202, ++ DR_DUMP_REC_TYPE_MATCHER_TX = 3203, ++ DR_DUMP_REC_TYPE_MATCHER_BUILDER = 3204, ++ ++ DR_DUMP_REC_TYPE_RULE = 3300, ++ DR_DUMP_REC_TYPE_RULE_RX_ENTRY_V0 = 3301, ++ DR_DUMP_REC_TYPE_RULE_TX_ENTRY_V0 = 3302, ++ DR_DUMP_REC_TYPE_RULE_RX_ENTRY_V1 = 3303, ++ DR_DUMP_REC_TYPE_RULE_TX_ENTRY_V1 = 3304, ++ ++ DR_DUMP_REC_TYPE_ACTION_ENCAP_L2 = 3400, ++ DR_DUMP_REC_TYPE_ACTION_ENCAP_L3 = 3401, ++ DR_DUMP_REC_TYPE_ACTION_MODIFY_HDR = 3402, ++ DR_DUMP_REC_TYPE_ACTION_DROP = 3403, ++ DR_DUMP_REC_TYPE_ACTION_QP = 3404, ++ DR_DUMP_REC_TYPE_ACTION_FT = 3405, ++ DR_DUMP_REC_TYPE_ACTION_CTR = 3406, ++ DR_DUMP_REC_TYPE_ACTION_TAG = 3407, ++ DR_DUMP_REC_TYPE_ACTION_VPORT = 3408, ++ DR_DUMP_REC_TYPE_ACTION_DECAP_L2 = 3409, ++ DR_DUMP_REC_TYPE_ACTION_DECAP_L3 = 3410, ++ DR_DUMP_REC_TYPE_ACTION_DEVX_TIR = 3411, ++ DR_DUMP_REC_TYPE_ACTION_PUSH_VLAN = 3412, ++ DR_DUMP_REC_TYPE_ACTION_POP_VLAN = 3413, ++ DR_DUMP_REC_TYPE_ACTION_SAMPLER = 3415, ++ DR_DUMP_REC_TYPE_ACTION_INSERT_HDR = 3420, ++ DR_DUMP_REC_TYPE_ACTION_REMOVE_HDR = 3421 ++}; ++ ++void mlx5dr_dbg_tbl_add(struct mlx5dr_table *tbl) ++{ ++ mutex_lock(&tbl->dmn->dump_info.dbg_mutex); ++ list_add_tail(&tbl->dbg_node, &tbl->dmn->dbg_tbl_list); ++ mutex_unlock(&tbl->dmn->dump_info.dbg_mutex); ++} ++ ++void mlx5dr_dbg_tbl_del(struct mlx5dr_table *tbl) ++{ ++ mutex_lock(&tbl->dmn->dump_info.dbg_mutex); ++ list_del(&tbl->dbg_node); ++ mutex_unlock(&tbl->dmn->dump_info.dbg_mutex); ++} ++ ++void mlx5dr_dbg_rule_add(struct mlx5dr_rule *rule) ++{ ++ struct mlx5dr_domain *dmn = rule->matcher->tbl->dmn; ++ ++ mutex_lock(&dmn->dump_info.dbg_mutex); ++ list_add_tail(&rule->dbg_node, &rule->matcher->dbg_rule_list); ++ mutex_unlock(&dmn->dump_info.dbg_mutex); ++} ++ ++void mlx5dr_dbg_rule_del(struct mlx5dr_rule *rule) ++{ ++ struct mlx5dr_domain *dmn = rule->matcher->tbl->dmn; ++ ++ mutex_lock(&dmn->dump_info.dbg_mutex); ++ list_del(&rule->dbg_node); ++ mutex_unlock(&dmn->dump_info.dbg_mutex); ++} ++ ++static u64 dr_dump_icm_to_idx(u64 icm_addr) ++{ ++ return (icm_addr >> 6) & 0xffffffff; ++} ++ ++#define DR_HEX_SIZE 256 ++ ++static void ++dr_dump_hex_print(char hex[DR_HEX_SIZE], char *src, u32 size) ++{ ++ if (WARN_ON_ONCE(DR_HEX_SIZE < 2 * size + 1)) ++ size = DR_HEX_SIZE / 2 - 1; /* truncate */ ++ ++ bin2hex(hex, src, size); ++ hex[2 * size] = 0; /* NULL-terminate */ ++} ++ ++static int ++dr_dump_rule_action_mem(struct seq_file *file, const u64 rule_id, ++ struct mlx5dr_rule_action_member *action_mem) ++{ ++ struct mlx5dr_action *action = action_mem->action; ++ const u64 action_id = DR_DBG_PTR_TO_ID(action); ++ ++ switch (action->action_type) { ++ case DR_ACTION_TYP_DROP: ++ seq_printf(file, "%d,0x%llx,0x%llx\n", ++ DR_DUMP_REC_TYPE_ACTION_DROP, action_id, rule_id); ++ break; ++ case DR_ACTION_TYP_FT: ++ if (action->dest_tbl->is_fw_tbl) ++ seq_printf(file, "%d,0x%llx,0x%llx,0x%x\n", ++ DR_DUMP_REC_TYPE_ACTION_FT, action_id, ++ rule_id, action->dest_tbl->fw_tbl.id); ++ else ++ seq_printf(file, "%d,0x%llx,0x%llx,0x%x\n", ++ DR_DUMP_REC_TYPE_ACTION_FT, action_id, ++ rule_id, action->dest_tbl->tbl->table_id); ++ ++ break; ++ case DR_ACTION_TYP_CTR: ++ seq_printf(file, "%d,0x%llx,0x%llx,0x%x\n", ++ DR_DUMP_REC_TYPE_ACTION_CTR, action_id, rule_id, ++ action->ctr->ctr_id + action->ctr->offset); ++ break; ++ case DR_ACTION_TYP_TAG: ++ seq_printf(file, "%d,0x%llx,0x%llx,0x%x\n", ++ DR_DUMP_REC_TYPE_ACTION_TAG, action_id, rule_id, ++ action->flow_tag->flow_tag); ++ break; ++ case DR_ACTION_TYP_MODIFY_HDR: ++ seq_printf(file, "%d,0x%llx,0x%llx,0x%x\n", ++ DR_DUMP_REC_TYPE_ACTION_MODIFY_HDR, action_id, ++ rule_id, action->rewrite->index); ++ break; ++ case DR_ACTION_TYP_VPORT: ++ seq_printf(file, "%d,0x%llx,0x%llx,0x%x\n", ++ DR_DUMP_REC_TYPE_ACTION_VPORT, action_id, rule_id, ++ action->vport->caps->num); ++ break; ++ case DR_ACTION_TYP_TNL_L2_TO_L2: ++ seq_printf(file, "%d,0x%llx,0x%llx\n", ++ DR_DUMP_REC_TYPE_ACTION_DECAP_L2, action_id, ++ rule_id); ++ break; ++ case DR_ACTION_TYP_TNL_L3_TO_L2: ++ seq_printf(file, "%d,0x%llx,0x%llx,0x%x\n", ++ DR_DUMP_REC_TYPE_ACTION_DECAP_L3, action_id, ++ rule_id, action->rewrite->index); ++ break; ++ case DR_ACTION_TYP_L2_TO_TNL_L2: ++ seq_printf(file, "%d,0x%llx,0x%llx,0x%x\n", ++ DR_DUMP_REC_TYPE_ACTION_ENCAP_L2, action_id, ++ rule_id, action->reformat->id); ++ break; ++ case DR_ACTION_TYP_L2_TO_TNL_L3: ++ seq_printf(file, "%d,0x%llx,0x%llx,0x%x\n", ++ DR_DUMP_REC_TYPE_ACTION_ENCAP_L3, action_id, ++ rule_id, action->reformat->id); ++ break; ++ case DR_ACTION_TYP_POP_VLAN: ++ seq_printf(file, "%d,0x%llx,0x%llx\n", ++ DR_DUMP_REC_TYPE_ACTION_POP_VLAN, action_id, ++ rule_id); ++ break; ++ case DR_ACTION_TYP_PUSH_VLAN: ++ seq_printf(file, "%d,0x%llx,0x%llx,0x%x\n", ++ DR_DUMP_REC_TYPE_ACTION_PUSH_VLAN, action_id, ++ rule_id, action->push_vlan->vlan_hdr); ++ break; ++ case DR_ACTION_TYP_INSERT_HDR: ++ seq_printf(file, "%d,0x%llx,0x%llx,0x%x,0x%x,0x%x\n", ++ DR_DUMP_REC_TYPE_ACTION_INSERT_HDR, action_id, ++ rule_id, action->reformat->id, ++ action->reformat->param_0, ++ action->reformat->param_1); ++ break; ++ case DR_ACTION_TYP_REMOVE_HDR: ++ seq_printf(file, "%d,0x%llx,0x%llx,0x%x,0x%x,0x%x\n", ++ DR_DUMP_REC_TYPE_ACTION_REMOVE_HDR, action_id, ++ rule_id, action->reformat->id, ++ action->reformat->param_0, ++ action->reformat->param_1); ++ break; ++ case DR_ACTION_TYP_SAMPLER: ++ seq_printf(file, ++ "%d,0x%llx,0x%llx,0x%x,0x%x,0x%x,0x%llx,0x%llx\n", ++ DR_DUMP_REC_TYPE_ACTION_SAMPLER, action_id, rule_id, ++ 0, 0, action->sampler->sampler_id, ++ action->sampler->rx_icm_addr, ++ action->sampler->tx_icm_addr); ++ break; ++ default: ++ return 0; ++ } ++ ++ return 0; ++} ++ ++static int ++dr_dump_rule_mem(struct seq_file *file, struct mlx5dr_ste *ste, ++ bool is_rx, const u64 rule_id, u8 format_ver) ++{ ++ char hw_ste_dump[DR_HEX_SIZE]; ++ u32 mem_rec_type; ++ ++ if (format_ver == MLX5_STEERING_FORMAT_CONNECTX_5) { ++ mem_rec_type = is_rx ? DR_DUMP_REC_TYPE_RULE_RX_ENTRY_V0 : ++ DR_DUMP_REC_TYPE_RULE_TX_ENTRY_V0; ++ } else { ++ mem_rec_type = is_rx ? DR_DUMP_REC_TYPE_RULE_RX_ENTRY_V1 : ++ DR_DUMP_REC_TYPE_RULE_TX_ENTRY_V1; ++ } ++ ++ dr_dump_hex_print(hw_ste_dump, (char *)ste->hw_ste, DR_STE_SIZE_REDUCED); ++ ++ seq_printf(file, "%d,0x%llx,0x%llx,%s\n", mem_rec_type, ++ dr_dump_icm_to_idx(mlx5dr_ste_get_icm_addr(ste)), rule_id, ++ hw_ste_dump); ++ ++ return 0; ++} ++ ++static int ++dr_dump_rule_rx_tx(struct seq_file *file, struct mlx5dr_rule_rx_tx *rule_rx_tx, ++ bool is_rx, const u64 rule_id, u8 format_ver) ++{ ++ struct mlx5dr_ste *ste_arr[DR_RULE_MAX_STES + DR_ACTION_MAX_STES]; ++ struct mlx5dr_ste *curr_ste = rule_rx_tx->last_rule_ste; ++ int ret, i; ++ ++ if (mlx5dr_rule_get_reverse_rule_members(ste_arr, curr_ste, &i)) ++ return 0; ++ ++ while (i--) { ++ ret = dr_dump_rule_mem(file, ste_arr[i], is_rx, rule_id, ++ format_ver); ++ if (ret < 0) ++ return ret; ++ } ++ ++ return 0; ++} ++ ++static int dr_dump_rule(struct seq_file *file, struct mlx5dr_rule *rule) ++{ ++ struct mlx5dr_rule_action_member *action_mem; ++ const u64 rule_id = DR_DBG_PTR_TO_ID(rule); ++ struct mlx5dr_rule_rx_tx *rx = &rule->rx; ++ struct mlx5dr_rule_rx_tx *tx = &rule->tx; ++ u8 format_ver; ++ int ret; ++ ++ format_ver = rule->matcher->tbl->dmn->info.caps.sw_format_ver; ++ ++ seq_printf(file, "%d,0x%llx,0x%llx\n", DR_DUMP_REC_TYPE_RULE, rule_id, ++ DR_DBG_PTR_TO_ID(rule->matcher)); ++ ++ if (rx->nic_matcher) { ++ ret = dr_dump_rule_rx_tx(file, rx, true, rule_id, format_ver); ++ if (ret < 0) ++ return ret; ++ } ++ ++ if (tx->nic_matcher) { ++ ret = dr_dump_rule_rx_tx(file, tx, false, rule_id, format_ver); ++ if (ret < 0) ++ return ret; ++ } ++ ++ list_for_each_entry(action_mem, &rule->rule_actions_list, list) { ++ ret = dr_dump_rule_action_mem(file, rule_id, action_mem); ++ if (ret < 0) ++ return ret; ++ } ++ ++ return 0; ++} ++ ++static int ++dr_dump_matcher_mask(struct seq_file *file, struct mlx5dr_match_param *mask, ++ u8 criteria, const u64 matcher_id) ++{ ++ char dump[DR_HEX_SIZE]; ++ ++ seq_printf(file, "%d,0x%llx,", DR_DUMP_REC_TYPE_MATCHER_MASK, ++ matcher_id); ++ ++ if (criteria & DR_MATCHER_CRITERIA_OUTER) { ++ dr_dump_hex_print(dump, (char *)&mask->outer, sizeof(mask->outer)); ++ seq_printf(file, "%s,", dump); ++ } else { ++ seq_puts(file, ","); ++ } ++ ++ if (criteria & DR_MATCHER_CRITERIA_INNER) { ++ dr_dump_hex_print(dump, (char *)&mask->inner, sizeof(mask->inner)); ++ seq_printf(file, "%s,", dump); ++ } else { ++ seq_puts(file, ","); ++ } ++ ++ if (criteria & DR_MATCHER_CRITERIA_MISC) { ++ dr_dump_hex_print(dump, (char *)&mask->misc, sizeof(mask->misc)); ++ seq_printf(file, "%s,", dump); ++ } else { ++ seq_puts(file, ","); ++ } ++ ++ if (criteria & DR_MATCHER_CRITERIA_MISC2) { ++ dr_dump_hex_print(dump, (char *)&mask->misc2, sizeof(mask->misc2)); ++ seq_printf(file, "%s,", dump); ++ } else { ++ seq_puts(file, ","); ++ } ++ ++ if (criteria & DR_MATCHER_CRITERIA_MISC3) { ++ dr_dump_hex_print(dump, (char *)&mask->misc3, sizeof(mask->misc3)); ++ seq_printf(file, "%s\n", dump); ++ } else { ++ seq_puts(file, ",\n"); ++ } ++ ++ return 0; ++} ++ ++static int ++dr_dump_matcher_builder(struct seq_file *file, struct mlx5dr_ste_build *builder, ++ u32 index, bool is_rx, const u64 matcher_id) ++{ ++ seq_printf(file, "%d,0x%llx,%d,%d,0x%x\n", ++ DR_DUMP_REC_TYPE_MATCHER_BUILDER, matcher_id, index, is_rx, ++ builder->lu_type); ++ ++ return 0; ++} ++ ++static int ++dr_dump_matcher_rx_tx(struct seq_file *file, bool is_rx, ++ struct mlx5dr_matcher_rx_tx *matcher_rx_tx, ++ const u64 matcher_id) ++{ ++ enum dr_dump_rec_type rec_type; ++ int i, ret; ++ ++ rec_type = is_rx ? DR_DUMP_REC_TYPE_MATCHER_RX : ++ DR_DUMP_REC_TYPE_MATCHER_TX; ++ ++ seq_printf(file, "%d,0x%llx,0x%llx,%d,0x%llx,0x%llx\n", ++ rec_type, DR_DBG_PTR_TO_ID(matcher_rx_tx), ++ matcher_id, matcher_rx_tx->num_of_builders, ++ dr_dump_icm_to_idx(matcher_rx_tx->s_htbl->chunk->icm_addr), ++ dr_dump_icm_to_idx(matcher_rx_tx->e_anchor->chunk->icm_addr)); ++ ++ for (i = 0; i < matcher_rx_tx->num_of_builders; i++) { ++ ret = dr_dump_matcher_builder(file, ++ &matcher_rx_tx->ste_builder[i], ++ i, is_rx, matcher_id); ++ if (ret < 0) ++ return ret; ++ } ++ ++ return 0; ++} ++ ++static int ++dr_dump_matcher(struct seq_file *file, struct mlx5dr_matcher *matcher) ++{ ++ struct mlx5dr_matcher_rx_tx *rx = &matcher->rx; ++ struct mlx5dr_matcher_rx_tx *tx = &matcher->tx; ++ u64 matcher_id; ++ int ret; ++ ++ matcher_id = DR_DBG_PTR_TO_ID(matcher); ++ ++ seq_printf(file, "%d,0x%llx,0x%llx,%d\n", DR_DUMP_REC_TYPE_MATCHER, ++ matcher_id, DR_DBG_PTR_TO_ID(matcher->tbl), matcher->prio); ++ ++ ret = dr_dump_matcher_mask(file, &matcher->mask, ++ matcher->match_criteria, matcher_id); ++ if (ret < 0) ++ return ret; ++ ++ if (rx->nic_tbl) { ++ ret = dr_dump_matcher_rx_tx(file, true, rx, matcher_id); ++ if (ret < 0) ++ return ret; ++ } ++ ++ if (tx->nic_tbl) { ++ ret = dr_dump_matcher_rx_tx(file, false, tx, matcher_id); ++ if (ret < 0) ++ return ret; ++ } ++ ++ return 0; ++} ++ ++static int ++dr_dump_matcher_all(struct seq_file *file, struct mlx5dr_matcher *matcher) ++{ ++ struct mlx5dr_rule *rule; ++ int ret; ++ ++ ret = dr_dump_matcher(file, matcher); ++ if (ret < 0) ++ return ret; ++ ++ list_for_each_entry(rule, &matcher->dbg_rule_list, dbg_node) { ++ ret = dr_dump_rule(file, rule); ++ if (ret < 0) ++ return ret; ++ } ++ ++ return 0; ++} ++ ++static int ++dr_dump_table_rx_tx(struct seq_file *file, bool is_rx, ++ struct mlx5dr_table_rx_tx *table_rx_tx, ++ const u64 table_id) ++{ ++ enum dr_dump_rec_type rec_type; ++ ++ rec_type = is_rx ? DR_DUMP_REC_TYPE_TABLE_RX : ++ DR_DUMP_REC_TYPE_TABLE_TX; ++ ++ seq_printf(file, "%d,0x%llx,0x%llx\n", rec_type, table_id, ++ dr_dump_icm_to_idx(table_rx_tx->s_anchor->chunk->icm_addr)); ++ ++ return 0; ++} ++ ++static int dr_dump_table(struct seq_file *file, struct mlx5dr_table *table) ++{ ++ struct mlx5dr_table_rx_tx *rx = &table->rx; ++ struct mlx5dr_table_rx_tx *tx = &table->tx; ++ int ret; ++ ++ seq_printf(file, "%d,0x%llx,0x%llx,%d,%d\n", DR_DUMP_REC_TYPE_TABLE, ++ DR_DBG_PTR_TO_ID(table), DR_DBG_PTR_TO_ID(table->dmn), ++ table->table_type, table->level); ++ ++ if (rx->nic_dmn) { ++ ret = dr_dump_table_rx_tx(file, true, rx, ++ DR_DBG_PTR_TO_ID(table)); ++ if (ret < 0) ++ return ret; ++ } ++ ++ if (tx->nic_dmn) { ++ ret = dr_dump_table_rx_tx(file, false, tx, ++ DR_DBG_PTR_TO_ID(table)); ++ if (ret < 0) ++ return ret; ++ } ++ return 0; ++} ++ ++static int dr_dump_table_all(struct seq_file *file, struct mlx5dr_table *tbl) ++{ ++ struct mlx5dr_matcher *matcher; ++ int ret; ++ ++ ret = dr_dump_table(file, tbl); ++ if (ret < 0) ++ return ret; ++ ++ list_for_each_entry(matcher, &tbl->matcher_list, list_node) { ++ ret = dr_dump_matcher_all(file, matcher); ++ if (ret < 0) ++ return ret; ++ } ++ return 0; ++} ++ ++static int ++dr_dump_send_ring(struct seq_file *file, struct mlx5dr_send_ring *ring, ++ const u64 domain_id) ++{ ++ seq_printf(file, "%d,0x%llx,0x%llx,0x%x,0x%x\n", ++ DR_DUMP_REC_TYPE_DOMAIN_SEND_RING, DR_DBG_PTR_TO_ID(ring), ++ domain_id, ring->cq->mcq.cqn, ring->qp->qpn); ++ return 0; ++} ++ ++static int ++dr_dump_domain_info_flex_parser(struct seq_file *file, ++ const char *flex_parser_name, ++ const u8 flex_parser_value, ++ const u64 domain_id) ++{ ++ seq_printf(file, "%d,0x%llx,%s,0x%x\n", ++ DR_DUMP_REC_TYPE_DOMAIN_INFO_FLEX_PARSER, domain_id, ++ flex_parser_name, flex_parser_value); ++ return 0; ++} ++ ++static int ++dr_dump_domain_info_caps(struct seq_file *file, struct mlx5dr_cmd_caps *caps, ++ const u64 domain_id) ++{ ++ struct mlx5dr_cmd_vport_cap *vport_caps; ++ unsigned long i, vports_num; ++ ++ xa_for_each(&caps->vports.vports_caps_xa, vports_num, vport_caps) ++ ; /* count the number of vports in xarray */ ++ ++ seq_printf(file, "%d,0x%llx,0x%x,0x%llx,0x%llx,0x%x,%lu,%d\n", ++ DR_DUMP_REC_TYPE_DOMAIN_INFO_CAPS, domain_id, caps->gvmi, ++ caps->nic_rx_drop_address, caps->nic_tx_drop_address, ++ caps->flex_protocols, vports_num, caps->eswitch_manager); ++ ++ xa_for_each(&caps->vports.vports_caps_xa, i, vport_caps) { ++ vport_caps = xa_load(&caps->vports.vports_caps_xa, i); ++ ++ seq_printf(file, "%d,0x%llx,%lu,0x%x,0x%llx,0x%llx\n", ++ DR_DUMP_REC_TYPE_DOMAIN_INFO_VPORT, domain_id, i, ++ vport_caps->vport_gvmi, vport_caps->icm_address_rx, ++ vport_caps->icm_address_tx); ++ } ++ return 0; ++} ++ ++static int ++dr_dump_domain_info(struct seq_file *file, struct mlx5dr_domain_info *info, ++ const u64 domain_id) ++{ ++ int ret; ++ ++ ret = dr_dump_domain_info_caps(file, &info->caps, domain_id); ++ if (ret < 0) ++ return ret; ++ ++ ret = dr_dump_domain_info_flex_parser(file, "icmp_dw0", ++ info->caps.flex_parser_id_icmp_dw0, ++ domain_id); ++ if (ret < 0) ++ return ret; ++ ++ ret = dr_dump_domain_info_flex_parser(file, "icmp_dw1", ++ info->caps.flex_parser_id_icmp_dw1, ++ domain_id); ++ if (ret < 0) ++ return ret; ++ ++ ret = dr_dump_domain_info_flex_parser(file, "icmpv6_dw0", ++ info->caps.flex_parser_id_icmpv6_dw0, ++ domain_id); ++ if (ret < 0) ++ return ret; ++ ++ ret = dr_dump_domain_info_flex_parser(file, "icmpv6_dw1", ++ info->caps.flex_parser_id_icmpv6_dw1, ++ domain_id); ++ if (ret < 0) ++ return ret; ++ ++ return 0; ++} ++ ++static int ++dr_dump_domain(struct seq_file *file, struct mlx5dr_domain *dmn) ++{ ++ u64 domain_id = DR_DBG_PTR_TO_ID(dmn); ++ int ret; ++ ++ seq_printf(file, "%d,0x%llx,%d,0%x,%d,%s\n", DR_DUMP_REC_TYPE_DOMAIN, ++ domain_id, dmn->type, dmn->info.caps.gvmi, ++ dmn->info.supp_sw_steering, pci_name(dmn->mdev->pdev)); ++ ++ ret = dr_dump_domain_info(file, &dmn->info, domain_id); ++ if (ret < 0) ++ return ret; ++ ++ if (dmn->info.supp_sw_steering) { ++ ret = dr_dump_send_ring(file, dmn->send_ring, domain_id); ++ if (ret < 0) ++ return ret; ++ } ++ ++ return 0; ++} ++ ++static int dr_dump_domain_all(struct seq_file *file, struct mlx5dr_domain *dmn) ++{ ++ struct mlx5dr_table *tbl; ++ int ret; ++ ++ mutex_lock(&dmn->dump_info.dbg_mutex); ++ mlx5dr_domain_lock(dmn); ++ ++ ret = dr_dump_domain(file, dmn); ++ if (ret < 0) ++ goto unlock_mutex; ++ ++ list_for_each_entry(tbl, &dmn->dbg_tbl_list, dbg_node) { ++ ret = dr_dump_table_all(file, tbl); ++ if (ret < 0) ++ break; ++ } ++ ++unlock_mutex: ++ mlx5dr_domain_unlock(dmn); ++ mutex_unlock(&dmn->dump_info.dbg_mutex); ++ return ret; ++} ++ ++static int dr_dump_show(struct seq_file *file, void *priv) ++{ ++ return dr_dump_domain_all(file, file->private); ++} ++DEFINE_SHOW_ATTRIBUTE(dr_dump); ++ ++void mlx5dr_dbg_init_dump(struct mlx5dr_domain *dmn) ++{ ++ struct mlx5_core_dev *dev = dmn->mdev; ++ char file_name[128]; ++ ++ if (dmn->type != MLX5DR_DOMAIN_TYPE_FDB) { ++ mlx5_core_warn(dev, ++ "Steering dump is not supported for NIC RX/TX domains\n"); ++ return; ++ } ++ ++ dmn->dump_info.steering_debugfs = ++ debugfs_create_dir("steering", dev->priv.dbg_root); ++ dmn->dump_info.fdb_debugfs = ++ debugfs_create_dir("fdb", dmn->dump_info.steering_debugfs); ++ ++ sprintf(file_name, "dmn_%p", dmn); ++ debugfs_create_file(file_name, 0444, dmn->dump_info.fdb_debugfs, ++ dmn, &dr_dump_fops); ++ ++ INIT_LIST_HEAD(&dmn->dbg_tbl_list); ++ mutex_init(&dmn->dump_info.dbg_mutex); ++} ++ ++void mlx5dr_dbg_uninit_dump(struct mlx5dr_domain *dmn) ++{ ++ debugfs_remove_recursive(dmn->dump_info.steering_debugfs); ++ mutex_destroy(&dmn->dump_info.dbg_mutex); ++} +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_dbg.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_dbg.h +new file mode 100644 +index 000000000000..def6cf853eea +--- /dev/null ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_dbg.h +@@ -0,0 +1,15 @@ ++/* SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB */ ++/* Copyright (c) 2021, NVIDIA CORPORATION & AFFILIATES. All rights reserved. */ ++ ++struct mlx5dr_dbg_dump_info { ++ struct mutex dbg_mutex; /* protect dbg lists */ ++ struct dentry *steering_debugfs; ++ struct dentry *fdb_debugfs; ++}; ++ ++void mlx5dr_dbg_init_dump(struct mlx5dr_domain *dmn); ++void mlx5dr_dbg_uninit_dump(struct mlx5dr_domain *dmn); ++void mlx5dr_dbg_tbl_add(struct mlx5dr_table *tbl); ++void mlx5dr_dbg_tbl_del(struct mlx5dr_table *tbl); ++void mlx5dr_dbg_rule_add(struct mlx5dr_rule *rule); ++void mlx5dr_dbg_rule_del(struct mlx5dr_rule *rule); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +index c54cc45f63dc..97a41b2b36e5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +@@ -395,7 +395,7 @@ mlx5dr_domain_create(struct mlx5_core_dev *mdev, enum mlx5dr_domain_type type) + } + + dr_domain_init_csum_recalc_fts(dmn); +- ++ mlx5dr_dbg_init_dump(dmn); + return dmn; + + uninit_caps: +@@ -436,6 +436,7 @@ int mlx5dr_domain_destroy(struct mlx5dr_domain *dmn) + + /* make sure resources are not used by the hardware */ + mlx5dr_cmd_sync_steering(dmn->mdev); ++ mlx5dr_dbg_uninit_dump(dmn); + dr_domain_uninit_csum_recalc_fts(dmn); + dr_domain_uninit_resources(dmn); + dr_domain_caps_uninit(dmn); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c +index af2cbbb6ef95..88288c02d6ea 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c +@@ -969,6 +969,7 @@ mlx5dr_matcher_create(struct mlx5dr_table *tbl, + matcher->match_criteria = match_criteria_enable; + refcount_set(&matcher->refcount, 1); + INIT_LIST_HEAD(&matcher->list_node); ++ INIT_LIST_HEAD(&matcher->dbg_rule_list); + + mlx5dr_domain_lock(tbl->dmn); + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c +index 6a390e981b09..3b4cd3160c27 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c +@@ -5,11 +5,6 @@ + + #define DR_RULE_MAX_STE_CHAIN (DR_RULE_MAX_STES + DR_ACTION_MAX_STES) + +-struct mlx5dr_rule_action_member { +- struct mlx5dr_action *action; +- struct list_head list; +-}; +- + static int dr_rule_append_to_miss_list(struct mlx5dr_ste_ctx *ste_ctx, + struct mlx5dr_ste *new_last_ste, + struct list_head *miss_list, +@@ -1003,6 +998,8 @@ static int dr_rule_destroy_rule(struct mlx5dr_rule *rule) + { + struct mlx5dr_domain *dmn = rule->matcher->tbl->dmn; + ++ mlx5dr_dbg_rule_del(rule); ++ + switch (dmn->type) { + case MLX5DR_DOMAIN_TYPE_NIC_RX: + dr_rule_destroy_rule_nic(rule, &rule->rx); +@@ -1257,6 +1254,8 @@ dr_rule_create_rule(struct mlx5dr_matcher *matcher, + if (ret) + goto remove_action_members; + ++ INIT_LIST_HEAD(&rule->dbg_node); ++ mlx5dr_dbg_rule_add(rule); + return rule; + + remove_action_members: +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c +index 4c40178e7d1e..241ee49a24ba 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c +@@ -266,6 +266,8 @@ struct mlx5dr_table *mlx5dr_table_create(struct mlx5dr_domain *dmn, u32 level, u + if (ret) + goto uninit_tbl; + ++ INIT_LIST_HEAD(&tbl->dbg_node); ++ mlx5dr_dbg_tbl_add(tbl); + return tbl; + + uninit_tbl: +@@ -284,6 +286,7 @@ int mlx5dr_table_destroy(struct mlx5dr_table *tbl) + if (refcount_read(&tbl->refcount) > 1) + return -EBUSY; + ++ mlx5dr_dbg_tbl_del(tbl); + ret = dr_table_destroy_sw_owned_tbl(tbl); + if (ret) + return ret; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +index 9f21a72e23b1..584d2b0eb016 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +@@ -11,6 +11,7 @@ + #include "lib/mlx5.h" + #include "mlx5_ifc_dr.h" + #include "mlx5dr.h" ++#include "dr_dbg.h" + + #define DR_RULE_MAX_STES 18 + #define DR_ACTION_MAX_STES 5 +@@ -878,6 +879,8 @@ struct mlx5dr_domain { + struct mlx5dr_domain_info info; + struct xarray csum_fts_xa; + struct mlx5dr_ste_ctx *ste_ctx; ++ struct list_head dbg_tbl_list; ++ struct mlx5dr_dbg_dump_info dump_info; + }; + + struct mlx5dr_table_rx_tx { +@@ -897,6 +900,7 @@ struct mlx5dr_table { + struct list_head matcher_list; + struct mlx5dr_action *miss_action; + refcount_t refcount; ++ struct list_head dbg_node; + }; + + struct mlx5dr_matcher_rx_tx { +@@ -916,11 +920,12 @@ struct mlx5dr_matcher { + struct mlx5dr_table *tbl; + struct mlx5dr_matcher_rx_tx rx; + struct mlx5dr_matcher_rx_tx tx; +- struct list_head list_node; ++ struct list_head list_node; /* Used for both matchers and dbg managing */ + u32 prio; + struct mlx5dr_match_param mask; + u8 match_criteria; + refcount_t refcount; ++ struct list_head dbg_rule_list; + }; + + struct mlx5dr_ste_action_modify_field { +@@ -992,6 +997,11 @@ struct mlx5dr_action_flow_tag { + u32 flow_tag; + }; + ++struct mlx5dr_rule_action_member { ++ struct mlx5dr_action *action; ++ struct list_head list; ++}; ++ + struct mlx5dr_action { + enum mlx5dr_action_type action_type; + refcount_t refcount; +@@ -1032,6 +1042,7 @@ struct mlx5dr_rule { + struct mlx5dr_rule_rx_tx rx; + struct mlx5dr_rule_rx_tx tx; + struct list_head rule_actions_list; ++ struct list_head dbg_node; + u32 flow_source; + }; + +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0048-net-mlx5-DR-Add-support-for-UPLINK-destination-type.patch b/SPECS/kernel-hci/0048-net-mlx5-DR-Add-support-for-UPLINK-destination-type.patch new file mode 100644 index 00000000000..9e240d9aa48 --- /dev/null +++ b/SPECS/kernel-hci/0048-net-mlx5-DR-Add-support-for-UPLINK-destination-type.patch @@ -0,0 +1,137 @@ +From 5a71e1b91f33985b0b7de1ebe3e5a24de5be0260 Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Sun, 24 Oct 2021 21:36:30 +0300 +Subject: [PATCH 40/58] net/mlx5: DR, Add support for UPLINK destination type + +Add support for a new destination type - UPLINK. + +Signed-off-by: Yevgeny Kliteynik +Change-Id: I2581ff047f6e63c291d18d732d8b62222a43e0c2 +--- + .../net/ethernet/mellanox/mlx5/core/fs_cmd.c | 3 ++- + .../net/ethernet/mellanox/mlx5/core/fs_core.c | 3 ++- + .../mellanox/mlx5/core/steering/dr_cmd.c | 20 +++++++++++++------ + .../mellanox/mlx5/core/steering/fs_dr.c | 18 +++++++++++++++-- + 4 files changed, 34 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c +index 750b21124a1a..98588e117349 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c +@@ -451,7 +451,8 @@ static int mlx5_set_extended_dest(struct mlx5_core_dev *dev, + list_for_each_entry(dst, &fte->node.children, node.list) { + if (dst->dest_attr.type == MLX5_FLOW_DESTINATION_TYPE_COUNTER) + continue; +- if (dst->dest_attr.type == MLX5_FLOW_DESTINATION_TYPE_VPORT && ++ if ((dst->dest_attr.type == MLX5_FLOW_DESTINATION_TYPE_VPORT || ++ dst->dest_attr.type == MLX5_FLOW_DESTINATION_TYPE_UPLINK) && + dst->dest_attr.vport.flags & MLX5_FLOW_DEST_VPORT_REFORMAT_ID) + num_encap++; + num_fwd_destinations++; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index 3d437d1f99b0..f7ac426fbf9f 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -1493,7 +1493,8 @@ static bool mlx5_flow_dests_cmp(struct mlx5_flow_destination *d1, + struct mlx5_flow_destination *d2) + { + if (d1->type == d2->type) { +- if ((d1->type == MLX5_FLOW_DESTINATION_TYPE_VPORT && ++ if (((d1->type == MLX5_FLOW_DESTINATION_TYPE_VPORT || ++ d1->type == MLX5_FLOW_DESTINATION_TYPE_UPLINK) && + d1->vport.num == d2->vport.num && + d1->vport.flags == d2->vport.flags && + ((d1->vport.flags & MLX5_FLOW_DEST_VPORT_VHCA_ID) ? +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c +index 868dd83c7329..3b2d8979fbe0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c +@@ -599,7 +599,8 @@ static int mlx5dr_cmd_set_extended_dest(struct mlx5_core_dev *dev, + for (i = 0; i < fte->dests_size; i++) { + if (fte->dest_arr[i].type == MLX5_FLOW_DESTINATION_TYPE_COUNTER) + continue; +- if (fte->dest_arr[i].type == MLX5_FLOW_DESTINATION_TYPE_VPORT && ++ if ((fte->dest_arr[i].type == MLX5_FLOW_DESTINATION_TYPE_VPORT || ++ fte->dest_arr[i].type == MLX5_FLOW_DESTINATION_TYPE_UPLINK) && + fte->dest_arr[i].vport.flags & MLX5_FLOW_DEST_VPORT_REFORMAT_ID) + num_encap++; + num_fwd_destinations++; +@@ -724,12 +725,19 @@ int mlx5dr_cmd_set_fte(struct mlx5_core_dev *dev, + case MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE: + id = fte->dest_arr[i].ft_id; + break; ++ case MLX5_FLOW_DESTINATION_TYPE_UPLINK: + case MLX5_FLOW_DESTINATION_TYPE_VPORT: +- id = fte->dest_arr[i].vport.num; +- MLX5_SET(dest_format_struct, in_dests, +- destination_eswitch_owner_vhca_id_valid, +- !!(fte->dest_arr[i].vport.flags & +- MLX5_FLOW_DEST_VPORT_VHCA_ID)); ++ if (type == MLX5_FLOW_DESTINATION_TYPE_VPORT) { ++ id = fte->dest_arr[i].vport.num; ++ MLX5_SET(dest_format_struct, in_dests, ++ destination_eswitch_owner_vhca_id_valid, ++ !!(fte->dest_arr[i].vport.flags & ++ MLX5_FLOW_DEST_VPORT_VHCA_ID)); ++ } else { ++ id = 0; ++ MLX5_SET(dest_format_struct, in_dests, ++ destination_eswitch_owner_vhca_id_valid, 1); ++ } + MLX5_SET(dest_format_struct, in_dests, + destination_eswitch_owner_vhca_id, + fte->dest_arr[i].vport.vhca_id); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c +index 5d22a28294d5..54dc366c5f0a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB + /* Copyright (c) 2019 Mellanox Technologies */ + ++#include + #include "mlx5_core.h" + #include "fs_core.h" + #include "fs_cmd.h" +@@ -193,6 +194,15 @@ static struct mlx5dr_action *create_vport_action(struct mlx5dr_domain *domain, + dest_attr->vport.vhca_id); + } + ++static struct mlx5dr_action *create_uplink_action(struct mlx5dr_domain *domain, ++ struct mlx5_flow_rule *dst) ++{ ++ struct mlx5_flow_destination *dest_attr = &dst->dest_attr; ++ ++ return mlx5dr_action_create_dest_vport(domain, MLX5_VPORT_UPLINK, 1, ++ dest_attr->vport.vhca_id); ++} ++ + static struct mlx5dr_action *create_ft_action(struct mlx5dr_domain *domain, + struct mlx5_flow_rule *dst) + { +@@ -217,7 +227,8 @@ static struct mlx5dr_action *create_action_push_vlan(struct mlx5dr_domain *domai + + static bool contain_vport_reformat_action(struct mlx5_flow_rule *dst) + { +- return dst->dest_attr.type == MLX5_FLOW_DESTINATION_TYPE_VPORT && ++ return (dst->dest_attr.type == MLX5_FLOW_DESTINATION_TYPE_VPORT || ++ dst->dest_attr.type == MLX5_FLOW_DESTINATION_TYPE_UPLINK) && + dst->dest_attr.vport.flags & MLX5_FLOW_DEST_VPORT_REFORMAT_ID; + } + +@@ -410,8 +421,11 @@ static int mlx5_cmd_dr_create_fte(struct mlx5_flow_root_namespace *ns, + fs_dr_actions[fs_dr_num_actions++] = tmp_action; + term_actions[num_term_actions++].dest = tmp_action; + break; ++ case MLX5_FLOW_DESTINATION_TYPE_UPLINK: + case MLX5_FLOW_DESTINATION_TYPE_VPORT: +- tmp_action = create_vport_action(domain, dst); ++ tmp_action = type == MLX5_FLOW_DESTINATION_TYPE_VPORT ? ++ create_vport_action(domain, dst) : ++ create_uplink_action(domain, dst); + if (!tmp_action) { + err = -ENOMEM; + goto free_actions; +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0049-net-mlx5-DR-Warn-on-failure-to-destroy-objects-due-t.patch b/SPECS/kernel-hci/0049-net-mlx5-DR-Warn-on-failure-to-destroy-objects-due-t.patch new file mode 100644 index 00000000000..85950f80074 --- /dev/null +++ b/SPECS/kernel-hci/0049-net-mlx5-DR-Warn-on-failure-to-destroy-objects-due-t.patch @@ -0,0 +1,73 @@ +From c62ddd0d8f803c986dbe76535c7f6fb00a07f1a5 Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Wed, 29 Sep 2021 15:36:32 +0300 +Subject: [PATCH 41/58] net/mlx5: DR, Warn on failure to destroy objects due to + refcount + +Add WARN_ON_ONCE on refcount checks in SW steering object destructors + +Signed-off-by: Paul Blakey +Signed-off-by: Yevgeny Kliteynik +Change-Id: Id08e59d21fa6b6cb4c9f73c06a5d2322420781e8 +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +index d82df9cefb91..22782777a339 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +@@ -1787,7 +1787,7 @@ mlx5dr_action_create_dest_vport(struct mlx5dr_domain *dmn, + + int mlx5dr_action_destroy(struct mlx5dr_action *action) + { +- if (refcount_read(&action->refcount) > 1) ++ if (WARN_ON_ONCE(refcount_read(&action->refcount) > 1)) + return -EBUSY; + + switch (action->action_type) { +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +index 0a07c8e2962d..7abab7a078cd 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +@@ -391,7 +391,7 @@ int mlx5dr_domain_sync(struct mlx5dr_domain *dmn, u32 flags) + + int mlx5dr_domain_destroy(struct mlx5dr_domain *dmn) + { +- if (refcount_read(&dmn->refcount) > 1) ++ if (WARN_ON_ONCE(refcount_read(&dmn->refcount) > 1)) + return -EBUSY; + + /* make sure resources are not used by the hardware */ +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c +index 4ed0918b6401..28ef80ce0bbc 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c +@@ -1057,7 +1057,7 @@ int mlx5dr_matcher_destroy(struct mlx5dr_matcher *matcher) + { + struct mlx5dr_table *tbl = matcher->tbl; + +- if (refcount_read(&matcher->refcount) > 1) ++ if (WARN_ON_ONCE(refcount_read(&matcher->refcount) > 1)) + return -EBUSY; + + mlx5dr_domain_lock(tbl->dmn); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c +index 241ee49a24ba..1d6b43a52c58 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c +@@ -283,7 +283,7 @@ int mlx5dr_table_destroy(struct mlx5dr_table *tbl) + { + int ret; + +- if (refcount_read(&tbl->refcount) > 1) ++ if (WARN_ON_ONCE(refcount_read(&tbl->refcount) > 1)) + return -EBUSY; + + mlx5dr_dbg_tbl_del(tbl); +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0050-net-mlx5-Add-misc5-flow-table-match-parameters.patch b/SPECS/kernel-hci/0050-net-mlx5-Add-misc5-flow-table-match-parameters.patch new file mode 100644 index 00000000000..1632f28d75b --- /dev/null +++ b/SPECS/kernel-hci/0050-net-mlx5-Add-misc5-flow-table-match-parameters.patch @@ -0,0 +1,109 @@ +From 9a52dab6410affdf1a7184b07481c7fa20cca0d4 Mon Sep 17 00:00:00 2001 +From: Muhammad Sammar +Date: Sun, 5 Sep 2021 15:16:21 +0300 +Subject: [PATCH 42/58] net/mlx5: Add misc5 flow table match parameters + +Add support for misc5 match parameter as per HW spec, this will allow +matching on tunnel_header fields. + +Signed-off-by: Muhammad Sammar +Signed-off-by: Yevgeny Kliteynik +Change-Id: I5099189a66a2c316157e2a1493758a5d59ae7921 +--- + .../net/ethernet/mellanox/mlx5/core/fs_core.h | 2 +- + include/linux/mlx5/device.h | 1 + + include/linux/mlx5/mlx5_ifc.h | 25 ++++++++++++++++++- + include/uapi/rdma/mlx5_user_ioctl_cmds.h | 2 +- + 4 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h +index 7711db245c63..5469b08d635f 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h +@@ -203,7 +203,7 @@ struct mlx5_ft_underlay_qp { + u32 qpn; + }; + +-#define MLX5_FTE_MATCH_PARAM_RESERVED reserved_at_c00 ++#define MLX5_FTE_MATCH_PARAM_RESERVED reserved_at_e00 + /* Calculate the fte_match_param length and without the reserved length. + * Make sure the reserved field is the last. + */ +diff --git a/include/linux/mlx5/device.h b/include/linux/mlx5/device.h +index b2352a0fdd23..2ab2cac3d60b 100644 +--- a/include/linux/mlx5/device.h ++++ b/include/linux/mlx5/device.h +@@ -1099,6 +1099,7 @@ enum { + MLX5_MATCH_MISC_PARAMETERS_2 = 1 << 3, + MLX5_MATCH_MISC_PARAMETERS_3 = 1 << 4, + MLX5_MATCH_MISC_PARAMETERS_4 = 1 << 5, ++ MLX5_MATCH_MISC_PARAMETERS_5 = 1 << 6, + }; + + enum { +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h +index 84e6e5cdd3b2..1465fbcc9b51 100644 +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -662,6 +662,26 @@ struct mlx5_ifc_fte_match_set_misc4_bits { + u8 reserved_at_100[0x100]; + }; + ++struct mlx5_ifc_fte_match_set_misc5_bits { ++ u8 macsec_tag_0[0x20]; ++ ++ u8 macsec_tag_1[0x20]; ++ ++ u8 macsec_tag_2[0x20]; ++ ++ u8 macsec_tag_3[0x20]; ++ ++ u8 tunnel_header_0[0x20]; ++ ++ u8 tunnel_header_1[0x20]; ++ ++ u8 tunnel_header_2[0x20]; ++ ++ u8 tunnel_header_3[0x20]; ++ ++ u8 reserved_at_100[0x100]; ++}; ++ + struct mlx5_ifc_cmd_pas_bits { + u8 pa_h[0x20]; + +@@ -1819,7 +1839,9 @@ struct mlx5_ifc_fte_match_param_bits { + + struct mlx5_ifc_fte_match_set_misc4_bits misc_parameters_4; + +- u8 reserved_at_c00[0x400]; ++ struct mlx5_ifc_fte_match_set_misc5_bits misc_parameters_5; ++ ++ u8 reserved_at_e00[0x200]; + }; + + enum { +@@ -5868,6 +5890,7 @@ enum { + MLX5_QUERY_FLOW_GROUP_IN_MATCH_CRITERIA_ENABLE_MISC_PARAMETERS_2 = 0x3, + MLX5_QUERY_FLOW_GROUP_IN_MATCH_CRITERIA_ENABLE_MISC_PARAMETERS_3 = 0x4, + MLX5_QUERY_FLOW_GROUP_IN_MATCH_CRITERIA_ENABLE_MISC_PARAMETERS_4 = 0x5, ++ MLX5_QUERY_FLOW_GROUP_IN_MATCH_CRITERIA_ENABLE_MISC_PARAMETERS_5 = 0x6, + }; + + struct mlx5_ifc_query_flow_group_out_bits { +diff --git a/include/uapi/rdma/mlx5_user_ioctl_cmds.h b/include/uapi/rdma/mlx5_user_ioctl_cmds.h +index ca2372864b70..e539c84d63f1 100644 +--- a/include/uapi/rdma/mlx5_user_ioctl_cmds.h ++++ b/include/uapi/rdma/mlx5_user_ioctl_cmds.h +@@ -252,7 +252,7 @@ enum mlx5_ib_device_query_context_attrs { + MLX5_IB_ATTR_QUERY_CONTEXT_RESP_UCTX = (1U << UVERBS_ID_NS_SHIFT), + }; + +-#define MLX5_IB_DW_MATCH_PARAM 0x90 ++#define MLX5_IB_DW_MATCH_PARAM 0xA0 + + struct mlx5_ib_match_params { + __u32 match_params[MLX5_IB_DW_MATCH_PARAM]; +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0051-net-mlx5-DR-Add-misc5-to-match_param-structs.patch b/SPECS/kernel-hci/0051-net-mlx5-DR-Add-misc5-to-match_param-structs.patch new file mode 100644 index 00000000000..064e034a602 --- /dev/null +++ b/SPECS/kernel-hci/0051-net-mlx5-DR-Add-misc5-to-match_param-structs.patch @@ -0,0 +1,146 @@ +From 208c9110bb3f4c511794008d01dd2ebe02493440 Mon Sep 17 00:00:00 2001 +From: Muhammad Sammar +Date: Sun, 5 Sep 2021 14:54:59 +0300 +Subject: [PATCH 43/58] net/mlx5: DR, Add misc5 to match_param structs + +Add misc5 match params to enable matching tunnel headers. + +Signed-off-by: Muhammad Sammar +Change-Id: If05ddf21c7a661b2d07d2693a6c337e34cb4f2d3 +--- + .../mellanox/mlx5/core/steering/dr_matcher.c | 3 ++ + .../mellanox/mlx5/core/steering/dr_rule.c | 10 ++++++ + .../mellanox/mlx5/core/steering/dr_ste.c | 34 +++++++++++++++++++ + .../mellanox/mlx5/core/steering/dr_types.h | 15 +++++++- + 4 files changed, 61 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c +index 28ef80ce0bbc..cc186323599c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c +@@ -412,6 +412,9 @@ static int dr_matcher_set_ste_builders(struct mlx5dr_matcher *matcher, + if (matcher->match_criteria & DR_MATCHER_CRITERIA_MISC4) + mask.misc4 = matcher->mask.misc4; + ++ if (matcher->match_criteria & DR_MATCHER_CRITERIA_MISC5) ++ mask.misc5 = matcher->mask.misc5; ++ + ret = mlx5dr_ste_build_pre_check(dmn, matcher->match_criteria, + &matcher->mask, NULL); + if (ret) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c +index 3b4cd3160c27..43e7fe85cbc7 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c +@@ -974,6 +974,16 @@ static bool dr_rule_verify(struct mlx5dr_matcher *matcher, + return false; + } + } ++ ++ if (match_criteria & DR_MATCHER_CRITERIA_MISC5) { ++ s_idx = offsetof(struct mlx5dr_match_param, misc5); ++ e_idx = min(s_idx + sizeof(param->misc5), value_size); ++ ++ if (!dr_rule_cmp_value_to_mask(mask_p, param_p, s_idx, e_idx)) { ++ mlx5dr_err(matcher->tbl->dmn, "Rule misc5 parameters contains a value not specified by mask\n"); ++ return false; ++ } ++ } + return true; + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c +index 7e711b2037b5..aca3031d72c3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c +@@ -910,6 +910,26 @@ static void dr_ste_copy_mask_misc4(char *mask, struct mlx5dr_match_misc4 *spec, + IFC_GET_CLR(fte_match_set_misc4, mask, prog_sample_field_value_3, clr); + } + ++static void dr_ste_copy_mask_misc5(char *mask, struct mlx5dr_match_misc5 *spec, bool clr) ++{ ++ spec->macsec_tag_0 = ++ IFC_GET_CLR(fte_match_set_misc5, mask, macsec_tag_0, clr); ++ spec->macsec_tag_1 = ++ IFC_GET_CLR(fte_match_set_misc5, mask, macsec_tag_1, clr); ++ spec->macsec_tag_2 = ++ IFC_GET_CLR(fte_match_set_misc5, mask, macsec_tag_2, clr); ++ spec->macsec_tag_3 = ++ IFC_GET_CLR(fte_match_set_misc5, mask, macsec_tag_3, clr); ++ spec->tunnel_header_0 = ++ IFC_GET_CLR(fte_match_set_misc5, mask, tunnel_header_0, clr); ++ spec->tunnel_header_1 = ++ IFC_GET_CLR(fte_match_set_misc5, mask, tunnel_header_1, clr); ++ spec->tunnel_header_2 = ++ IFC_GET_CLR(fte_match_set_misc5, mask, tunnel_header_2, clr); ++ spec->tunnel_header_3 = ++ IFC_GET_CLR(fte_match_set_misc5, mask, tunnel_header_3, clr); ++} ++ + void mlx5dr_ste_copy_param(u8 match_criteria, + struct mlx5dr_match_param *set_param, + struct mlx5dr_match_parameters *mask, +@@ -996,6 +1016,20 @@ void mlx5dr_ste_copy_param(u8 match_criteria, + } + dr_ste_copy_mask_misc4(buff, &set_param->misc4, clr); + } ++ ++ param_location += sizeof(struct mlx5dr_match_misc4); ++ ++ if (match_criteria & DR_MATCHER_CRITERIA_MISC5) { ++ if (mask->match_sz < param_location + ++ sizeof(struct mlx5dr_match_misc5)) { ++ memcpy(tail_param, data + param_location, ++ mask->match_sz - param_location); ++ buff = tail_param; ++ } else { ++ buff = data + param_location; ++ } ++ dr_ste_copy_mask_misc5(buff, &set_param->misc5, clr); ++ } + } + + void mlx5dr_ste_build_eth_l2_src_dst(struct mlx5dr_ste_ctx *ste_ctx, +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +index 03503ab233a6..8a3686edc203 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +@@ -105,7 +105,8 @@ enum mlx5dr_matcher_criteria { + DR_MATCHER_CRITERIA_MISC2 = 1 << 3, + DR_MATCHER_CRITERIA_MISC3 = 1 << 4, + DR_MATCHER_CRITERIA_MISC4 = 1 << 5, +- DR_MATCHER_CRITERIA_MAX = 1 << 6, ++ DR_MATCHER_CRITERIA_MISC5 = 1 << 6, ++ DR_MATCHER_CRITERIA_MAX = 1 << 7, + }; + + enum mlx5dr_action_type { +@@ -762,6 +763,17 @@ struct mlx5dr_match_misc4 { + u32 reserved_auto1[8]; + }; + ++struct mlx5dr_match_misc5 { ++ u32 macsec_tag_0; ++ u32 macsec_tag_1; ++ u32 macsec_tag_2; ++ u32 macsec_tag_3; ++ u32 tunnel_header_0; ++ u32 tunnel_header_1; ++ u32 tunnel_header_2; ++ u32 tunnel_header_3; ++}; ++ + struct mlx5dr_match_param { + struct mlx5dr_match_spec outer; + struct mlx5dr_match_misc misc; +@@ -769,6 +781,7 @@ struct mlx5dr_match_param { + struct mlx5dr_match_misc2 misc2; + struct mlx5dr_match_misc3 misc3; + struct mlx5dr_match_misc4 misc4; ++ struct mlx5dr_match_misc5 misc5; + }; + + #define DR_MASK_IS_ICMPV4_SET(_misc3) ((_misc3)->icmpv4_type || \ +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0052-net-mlx5-DR-Support-matching-on-tunnel-headers-0-and.patch b/SPECS/kernel-hci/0052-net-mlx5-DR-Support-matching-on-tunnel-headers-0-and.patch new file mode 100644 index 00000000000..f70f11bdb7e --- /dev/null +++ b/SPECS/kernel-hci/0052-net-mlx5-DR-Support-matching-on-tunnel-headers-0-and.patch @@ -0,0 +1,218 @@ +From c09d73796bab196dfe4823fa3911d962d3b8fb38 Mon Sep 17 00:00:00 2001 +From: Muhammad Sammar +Date: Sun, 5 Sep 2021 17:07:49 +0300 +Subject: [PATCH 44/58] net/mlx5: DR, Support matching on tunnel headers 0 and + 1 + +Tunnel headers are generic encapsulation headers, applies for all +tunneling protocols identified by the device native parser or by the +programmable parser, this support will enable raw matching headers 0 and 1. + +Signed-off-by: Muhammad Sammar +Signed-off-by: Yevgeny Kliteynik +Change-Id: I423a9817e24321e6475bdccf415fcd2a83ec19b4 +--- + .../mellanox/mlx5/core/steering/dr_matcher.c | 12 +++++++++- + .../mellanox/mlx5/core/steering/dr_ste.c | 10 ++++++++ + .../mellanox/mlx5/core/steering/dr_ste.h | 1 + + .../mellanox/mlx5/core/steering/dr_ste_v0.c | 23 +++++++++++++++++++ + .../mellanox/mlx5/core/steering/dr_ste_v1.c | 22 ++++++++++++++++++ + .../mellanox/mlx5/core/steering/dr_types.h | 4 ++++ + .../mellanox/mlx5/core/steering/mlx5_ifc_dr.h | 8 +++++++ + 7 files changed, 79 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c +index cc186323599c..f32bc1c7f100 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c +@@ -356,6 +356,12 @@ static bool dr_mask_is_tnl_mpls_over_udp(struct mlx5dr_match_param *mask, + return DR_MASK_IS_OUTER_MPLS_OVER_UDP_SET(&mask->misc2) && + dr_matcher_supp_tnl_mpls_over_udp(&dmn->info.caps); + } ++ ++static bool dr_mask_is_tnl_header_0_1_set(struct mlx5dr_match_misc5 *misc5) ++{ ++ return misc5->tunnel_header_0 || misc5->tunnel_header_1; ++} ++ + int mlx5dr_matcher_select_builders(struct mlx5dr_matcher *matcher, + struct mlx5dr_matcher_rx_tx *nic_matcher, + enum mlx5dr_ipv outer_ipv, +@@ -434,7 +440,8 @@ static int dr_matcher_set_ste_builders(struct mlx5dr_matcher *matcher, + if (matcher->match_criteria & (DR_MATCHER_CRITERIA_OUTER | + DR_MATCHER_CRITERIA_MISC | + DR_MATCHER_CRITERIA_MISC2 | +- DR_MATCHER_CRITERIA_MISC3)) { ++ DR_MATCHER_CRITERIA_MISC3 | ++ DR_MATCHER_CRITERIA_MISC5)) { + inner = false; + + if (dr_mask_is_wqe_metadata_set(&mask.misc2)) +@@ -516,6 +523,9 @@ static int dr_matcher_set_ste_builders(struct mlx5dr_matcher *matcher, + if (dr_mask_is_tnl_gtpu(&mask, dmn)) + mlx5dr_ste_build_tnl_gtpu(ste_ctx, &sb[idx++], + &mask, inner, rx); ++ } else if (dr_mask_is_tnl_header_0_1_set(&mask.misc5)) { ++ mlx5dr_ste_build_tnl_header_0_1(ste_ctx, &sb[idx++], ++ &mask, inner, rx); + } + + if (DR_MASK_IS_ETH_L4_MISC_SET(mask.misc3, outer)) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c +index aca3031d72c3..2725c5ceb1bf 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c +@@ -1333,6 +1333,16 @@ void mlx5dr_ste_build_flex_parser_1(struct mlx5dr_ste_ctx *ste_ctx, + ste_ctx->build_flex_parser_1_init(sb, mask); + } + ++void mlx5dr_ste_build_tnl_header_0_1(struct mlx5dr_ste_ctx *ste_ctx, ++ struct mlx5dr_ste_build *sb, ++ struct mlx5dr_match_param *mask, ++ bool inner, bool rx) ++{ ++ sb->rx = rx; ++ sb->inner = inner; ++ ste_ctx->build_tnl_header_0_1_init(sb, mask); ++} ++ + static struct mlx5dr_ste_ctx *mlx5dr_ste_ctx_arr[] = { + [MLX5_STEERING_FORMAT_CONNECTX_5] = &ste_ctx_v0, + [MLX5_STEERING_FORMAT_CONNECTX_6DX] = &ste_ctx_v1, +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.h +index 2d52d065dc8b..e6c25bdf0da0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.h +@@ -141,6 +141,7 @@ struct mlx5dr_ste_ctx { + void DR_STE_CTX_BUILDER(flex_parser_0); + void DR_STE_CTX_BUILDER(flex_parser_1); + void DR_STE_CTX_BUILDER(tnl_gtpu); ++ void DR_STE_CTX_BUILDER(tnl_header_0_1); + void DR_STE_CTX_BUILDER(tnl_gtpu_flex_parser_0); + void DR_STE_CTX_BUILDER(tnl_gtpu_flex_parser_1); + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c +index 25de50daf263..10f2182ab417 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c +@@ -80,6 +80,7 @@ enum { + DR_STE_V0_LU_TYPE_GENERAL_PURPOSE = 0x18, + DR_STE_V0_LU_TYPE_STEERING_REGISTERS_0 = 0x2f, + DR_STE_V0_LU_TYPE_STEERING_REGISTERS_1 = 0x30, ++ DR_STE_V0_LU_TYPE_TUNNEL_HEADER = 0x34, + DR_STE_V0_LU_TYPE_DONT_CARE = MLX5DR_STE_LU_TYPE_DONT_CARE, + }; + +@@ -1874,6 +1875,27 @@ dr_ste_v0_build_tnl_gtpu_flex_parser_1_init(struct mlx5dr_ste_build *sb, + sb->ste_build_tag_func = &dr_ste_v0_build_tnl_gtpu_flex_parser_1_tag; + } + ++static int dr_ste_v0_build_tnl_header_0_1_tag(struct mlx5dr_match_param *value, ++ struct mlx5dr_ste_build *sb, ++ uint8_t *tag) ++{ ++ struct mlx5dr_match_misc5 *misc5 = &value->misc5; ++ ++ DR_STE_SET_TAG(tunnel_header, tag, tunnel_header_0, misc5, tunnel_header_0); ++ DR_STE_SET_TAG(tunnel_header, tag, tunnel_header_1, misc5, tunnel_header_1); ++ ++ return 0; ++} ++ ++static void dr_ste_v0_build_tnl_header_0_1_init(struct mlx5dr_ste_build *sb, ++ struct mlx5dr_match_param *mask) ++{ ++ sb->lu_type = DR_STE_V0_LU_TYPE_TUNNEL_HEADER; ++ dr_ste_v0_build_tnl_header_0_1_tag(mask, sb, sb->bit_mask); ++ sb->byte_mask = mlx5dr_ste_conv_bit_to_byte_mask(sb->bit_mask); ++ sb->ste_build_tag_func = &dr_ste_v0_build_tnl_header_0_1_tag; ++} ++ + struct mlx5dr_ste_ctx ste_ctx_v0 = { + /* Builders */ + .build_eth_l2_src_dst_init = &dr_ste_v0_build_eth_l2_src_dst_init, +@@ -1902,6 +1924,7 @@ struct mlx5dr_ste_ctx ste_ctx_v0 = { + .build_flex_parser_0_init = &dr_ste_v0_build_flex_parser_0_init, + .build_flex_parser_1_init = &dr_ste_v0_build_flex_parser_1_init, + .build_tnl_gtpu_init = &dr_ste_v0_build_flex_parser_tnl_gtpu_init, ++ .build_tnl_header_0_1_init = &dr_ste_v0_build_tnl_header_0_1_init, + .build_tnl_gtpu_flex_parser_0_init = &dr_ste_v0_build_tnl_gtpu_flex_parser_0_init, + .build_tnl_gtpu_flex_parser_1_init = &dr_ste_v0_build_tnl_gtpu_flex_parser_1_init, + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c +index 282c4865d6ab..8e644d1a9822 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c +@@ -1711,6 +1711,27 @@ dr_ste_v1_build_flex_parser_tnl_geneve_init(struct mlx5dr_ste_build *sb, + sb->ste_build_tag_func = &dr_ste_v1_build_flex_parser_tnl_geneve_tag; + } + ++static int dr_ste_v1_build_tnl_header_0_1_tag(struct mlx5dr_match_param *value, ++ struct mlx5dr_ste_build *sb, ++ uint8_t *tag) ++{ ++ struct mlx5dr_match_misc5 *misc5 = &value->misc5; ++ ++ DR_STE_SET_TAG(tunnel_header, tag, tunnel_header_0, misc5, tunnel_header_0); ++ DR_STE_SET_TAG(tunnel_header, tag, tunnel_header_1, misc5, tunnel_header_1); ++ ++ return 0; ++} ++ ++static void dr_ste_v1_build_tnl_header_0_1_init(struct mlx5dr_ste_build *sb, ++ struct mlx5dr_match_param *mask) ++{ ++ sb->lu_type = DR_STE_V1_LU_TYPE_FLEX_PARSER_TNL_HEADER; ++ dr_ste_v1_build_tnl_header_0_1_tag(mask, sb, sb->bit_mask); ++ sb->byte_mask = mlx5dr_ste_conv_bit_to_byte_mask(sb->bit_mask); ++ sb->ste_build_tag_func = &dr_ste_v1_build_tnl_header_0_1_tag; ++} ++ + static int dr_ste_v1_build_register_0_tag(struct mlx5dr_match_param *value, + struct mlx5dr_ste_build *sb, + u8 *tag) +@@ -2024,6 +2045,7 @@ struct mlx5dr_ste_ctx ste_ctx_v1 = { + .build_flex_parser_0_init = &dr_ste_v1_build_flex_parser_0_init, + .build_flex_parser_1_init = &dr_ste_v1_build_flex_parser_1_init, + .build_tnl_gtpu_init = &dr_ste_v1_build_flex_parser_tnl_gtpu_init, ++ .build_tnl_header_0_1_init = &dr_ste_v1_build_tnl_header_0_1_init, + .build_tnl_gtpu_flex_parser_0_init = &dr_ste_v1_build_tnl_gtpu_flex_parser_0_init, + .build_tnl_gtpu_flex_parser_1_init = &dr_ste_v1_build_tnl_gtpu_flex_parser_1_init, + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +index 8a3686edc203..0ed5cafa99a8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +@@ -456,6 +456,10 @@ void mlx5dr_ste_build_tnl_gtpu_flex_parser_1(struct mlx5dr_ste_ctx *ste_ctx, + struct mlx5dr_match_param *mask, + struct mlx5dr_cmd_caps *caps, + bool inner, bool rx); ++void mlx5dr_ste_build_tnl_header_0_1(struct mlx5dr_ste_ctx *ste_ctx, ++ struct mlx5dr_ste_build *sb, ++ struct mlx5dr_match_param *mask, ++ bool inner, bool rx); + void mlx5dr_ste_build_general_purpose(struct mlx5dr_ste_ctx *ste_ctx, + struct mlx5dr_ste_build *sb, + struct mlx5dr_match_param *mask, +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5_ifc_dr.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5_ifc_dr.h +index d2a937f69784..d0e20bda2622 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5_ifc_dr.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5_ifc_dr.h +@@ -490,6 +490,14 @@ struct mlx5_ifc_ste_flex_parser_tnl_gtpu_bits { + u8 reserved_at_40[0x40]; + }; + ++struct mlx5_ifc_ste_tunnel_header_bits { ++ u8 tunnel_header_0[0x20]; ++ ++ u8 tunnel_header_1[0x20]; ++ ++ u8 reserved_at_40[0x40]; ++}; ++ + struct mlx5_ifc_ste_general_purpose_bits { + u8 general_purpose_lookup_field[0x20]; + +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0053-net-mlx5-DR-Add-support-for-matching-on-geneve_tlv_o.patch b/SPECS/kernel-hci/0053-net-mlx5-DR-Add-support-for-matching-on-geneve_tlv_o.patch new file mode 100644 index 00000000000..bac4eb3b69d --- /dev/null +++ b/SPECS/kernel-hci/0053-net-mlx5-DR-Add-support-for-matching-on-geneve_tlv_o.patch @@ -0,0 +1,235 @@ +From f59464e257bdbd4df6df9a4505d7858a0baf6cf7 Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Mon, 8 Nov 2021 02:42:50 +0200 +Subject: [PATCH] net/mlx5: DR, Add support for matching on + geneve_tlv_option_0_exist field + +Match on geneve_tlv_option_0_exist field on devices that support STEv1. + +Signed-off-by: Muhammad Sammar +Signed-off-by: Yevgeny Kliteynik +--- + .../mellanox/mlx5/core/steering/dr_cmd.c | 7 +++++ + .../mellanox/mlx5/core/steering/dr_matcher.c | 17 +++++++++++ + .../mellanox/mlx5/core/steering/dr_ste.c | 17 +++++++++++ + .../mellanox/mlx5/core/steering/dr_ste.h | 1 + + .../mellanox/mlx5/core/steering/dr_ste_v1.c | 28 +++++++++++++++++++ + .../mellanox/mlx5/core/steering/dr_types.h | 9 +++++- + .../mellanox/mlx5/core/steering/mlx5_ifc_dr.h | 8 ++++++ + include/linux/mlx5/mlx5_ifc.h | 6 ++-- + 8 files changed, 90 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c +@@ -134,6 +134,13 @@ int mlx5dr_cmd_query_device(struct mlx5_ + + caps->isolate_vl_tc = MLX5_CAP_GEN(mdev, isolate_vl_tc_new); + ++ /* geneve_tlv_option_0_exist is the indication of ++ * STE support for lookup type flex_parser_ok ++ */ ++ caps->flex_parser_ok_bits_supp = ++ MLX5_CAP_FLOWTABLE(mdev, ++ flow_table_properties_nic_receive.ft_field_support.geneve_tlv_option_0_exist); ++ + if (caps->flex_protocols & MLX5_FLEX_PARSER_ICMP_V4_ENABLED) { + caps->flex_parser_id_icmp_dw0 = MLX5_CAP_GEN(mdev, flex_parser_id_icmp_dw0); + caps->flex_parser_id_icmp_dw1 = MLX5_CAP_GEN(mdev, flex_parser_id_icmp_dw1); +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c +@@ -129,6 +129,19 @@ static bool dr_mask_is_tnl_geneve_tlv_op + } + + static bool ++dr_matcher_supp_flex_parser_ok(struct mlx5dr_cmd_caps *caps) ++{ ++ return caps->flex_parser_ok_bits_supp; ++} ++ ++static bool dr_mask_is_tnl_geneve_tlv_opt_exist_set(struct mlx5dr_match_misc *misc, ++ struct mlx5dr_domain *dmn) ++{ ++ return dr_matcher_supp_flex_parser_ok(&dmn->info.caps) && ++ misc->geneve_tlv_option_0_exist; ++} ++ ++static bool + dr_matcher_supp_tnl_geneve(struct mlx5dr_cmd_caps *caps) + { + return (caps->sw_format_ver == MLX5_STEERING_FORMAT_CONNECTX_6DX) || +@@ -509,6 +522,10 @@ static int dr_matcher_set_ste_builders(s + mlx5dr_ste_build_tnl_geneve_tlv_opt(ste_ctx, &sb[idx++], + &mask, &dmn->info.caps, + inner, rx); ++ if (dr_mask_is_tnl_geneve_tlv_opt_exist_set(&mask.misc, dmn)) ++ mlx5dr_ste_build_tnl_geneve_tlv_opt_exist(ste_ctx, &sb[idx++], ++ &mask, &dmn->info.caps, ++ inner, rx); + } else if (dr_mask_is_tnl_gtpu_any(&mask, dmn)) { + if (dr_mask_is_tnl_gtpu_flex_parser_0(&mask, dmn)) + mlx5dr_ste_build_tnl_gtpu_flex_parser_0(ste_ctx, &sb[idx++], +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c +@@ -750,6 +750,8 @@ static void dr_ste_copy_mask_misc(char * + spec->vxlan_vni = IFC_GET_CLR(fte_match_set_misc, mask, vxlan_vni, clr); + + spec->geneve_vni = IFC_GET_CLR(fte_match_set_misc, mask, geneve_vni, clr); ++ spec->geneve_tlv_option_0_exist = ++ IFC_GET_CLR(fte_match_set_misc, mask, geneve_tlv_option_0_exist, clr); + spec->geneve_oam = IFC_GET_CLR(fte_match_set_misc, mask, geneve_oam, clr); + + spec->outer_ipv6_flow_label = +@@ -1245,6 +1247,21 @@ void mlx5dr_ste_build_tnl_geneve_tlv_opt + ste_ctx->build_tnl_geneve_tlv_opt_init(sb, mask); + } + ++void mlx5dr_ste_build_tnl_geneve_tlv_opt_exist(struct mlx5dr_ste_ctx *ste_ctx, ++ struct mlx5dr_ste_build *sb, ++ struct mlx5dr_match_param *mask, ++ struct mlx5dr_cmd_caps *caps, ++ bool inner, bool rx) ++{ ++ if (!ste_ctx->build_tnl_geneve_tlv_opt_exist_init) ++ return; ++ ++ sb->rx = rx; ++ sb->caps = caps; ++ sb->inner = inner; ++ ste_ctx->build_tnl_geneve_tlv_opt_exist_init(sb, mask); ++} ++ + void mlx5dr_ste_build_tnl_gtpu(struct mlx5dr_ste_ctx *ste_ctx, + struct mlx5dr_ste_build *sb, + struct mlx5dr_match_param *mask, +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.h +@@ -135,6 +135,7 @@ struct mlx5dr_ste_ctx { + void DR_STE_CTX_BUILDER(tnl_vxlan_gpe); + void DR_STE_CTX_BUILDER(tnl_geneve); + void DR_STE_CTX_BUILDER(tnl_geneve_tlv_opt); ++ void DR_STE_CTX_BUILDER(tnl_geneve_tlv_opt_exist); + void DR_STE_CTX_BUILDER(register_0); + void DR_STE_CTX_BUILDER(register_1); + void DR_STE_CTX_BUILDER(src_gvmi_qpn); +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c +@@ -47,6 +47,7 @@ enum { + DR_STE_V1_LU_TYPE_ETHL3_IPV4_MISC_I = 0x000f, + DR_STE_V1_LU_TYPE_STEERING_REGISTERS_0 = 0x010f, + DR_STE_V1_LU_TYPE_STEERING_REGISTERS_1 = 0x0110, ++ DR_STE_V1_LU_TYPE_FLEX_PARSER_OK = 0x0011, + DR_STE_V1_LU_TYPE_FLEX_PARSER_0 = 0x0111, + DR_STE_V1_LU_TYPE_FLEX_PARSER_1 = 0x0112, + DR_STE_V1_LU_TYPE_ETHL4_MISC_O = 0x0113, +@@ -1942,6 +1943,32 @@ dr_ste_v1_build_flex_parser_tnl_geneve_t + sb->ste_build_tag_func = &dr_ste_v1_build_flex_parser_tnl_geneve_tlv_opt_tag; + } + ++static int ++dr_ste_v1_build_flex_parser_tnl_geneve_tlv_opt_exist_tag(struct mlx5dr_match_param *value, ++ struct mlx5dr_ste_build *sb, ++ uint8_t *tag) ++{ ++ u8 parser_id = sb->caps->flex_parser_id_geneve_tlv_option_0; ++ struct mlx5dr_match_misc *misc = &value->misc; ++ ++ if (misc->geneve_tlv_option_0_exist) { ++ MLX5_SET(ste_flex_parser_ok, tag, flex_parsers_ok, 1 << parser_id); ++ misc->geneve_tlv_option_0_exist = 0; ++ } ++ ++ return 0; ++} ++ ++static void ++dr_ste_v1_build_flex_parser_tnl_geneve_tlv_opt_exist_init(struct mlx5dr_ste_build *sb, ++ struct mlx5dr_match_param *mask) ++{ ++ sb->lu_type = DR_STE_V1_LU_TYPE_FLEX_PARSER_OK; ++ dr_ste_v1_build_flex_parser_tnl_geneve_tlv_opt_exist_tag(mask, sb, sb->bit_mask); ++ sb->byte_mask = mlx5dr_ste_conv_bit_to_byte_mask(sb->bit_mask); ++ sb->ste_build_tag_func = &dr_ste_v1_build_flex_parser_tnl_geneve_tlv_opt_exist_tag; ++} ++ + static int dr_ste_v1_build_flex_parser_tnl_gtpu_tag(struct mlx5dr_match_param *value, + struct mlx5dr_ste_build *sb, + u8 *tag) +@@ -2041,6 +2068,7 @@ struct mlx5dr_ste_ctx ste_ctx_v1 = { + .build_tnl_vxlan_gpe_init = &dr_ste_v1_build_flex_parser_tnl_vxlan_gpe_init, + .build_tnl_geneve_init = &dr_ste_v1_build_flex_parser_tnl_geneve_init, + .build_tnl_geneve_tlv_opt_init = &dr_ste_v1_build_flex_parser_tnl_geneve_tlv_opt_init, ++ .build_tnl_geneve_tlv_opt_exist_init = &dr_ste_v1_build_flex_parser_tnl_geneve_tlv_opt_exist_init, + .build_register_0_init = &dr_ste_v1_build_register_0_init, + .build_register_1_init = &dr_ste_v1_build_register_1_init, + .build_src_gvmi_qpn_init = &dr_ste_v1_build_src_gvmi_qpn_init, +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +@@ -442,6 +442,11 @@ void mlx5dr_ste_build_tnl_geneve_tlv_opt + struct mlx5dr_match_param *mask, + struct mlx5dr_cmd_caps *caps, + bool inner, bool rx); ++void mlx5dr_ste_build_tnl_geneve_tlv_opt_exist(struct mlx5dr_ste_ctx *ste_ctx, ++ struct mlx5dr_ste_build *sb, ++ struct mlx5dr_match_param *mask, ++ struct mlx5dr_cmd_caps *caps, ++ bool inner, bool rx); + void mlx5dr_ste_build_tnl_gtpu(struct mlx5dr_ste_ctx *ste_ctx, + struct mlx5dr_ste_build *sb, + struct mlx5dr_match_param *mask, +@@ -666,7 +671,8 @@ struct mlx5dr_match_misc { + u32 reserved_auto3:8; + + u32 geneve_vni:24; /* GENEVE VNI field (outer) */ +- u32 reserved_auto4:7; ++ u32 reserved_auto4:6; ++ u32 geneve_tlv_option_0_exist:1; + u32 geneve_oam:1; /* GENEVE OAM field (outer) */ + + u32 reserved_auto5:12; +@@ -851,6 +857,7 @@ struct mlx5dr_cmd_caps { + u8 flex_parser_id_gtpu_teid; + u8 flex_parser_id_gtpu_dw_2; + u8 flex_parser_id_gtpu_first_ext_dw_0; ++ u8 flex_parser_ok_bits_supp; + u8 max_ft_level; + u16 roce_min_src_udp; + u8 sw_format_ver; +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5_ifc_dr.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5_ifc_dr.h +@@ -447,6 +447,14 @@ struct mlx5_ifc_ste_flex_parser_1_bits { + u8 flex_parser_4[0x20]; + }; + ++struct mlx5_ifc_ste_flex_parser_ok_bits { ++ u8 flex_parser_3[0x20]; ++ u8 flex_parser_2[0x20]; ++ u8 flex_parsers_ok[0x8]; ++ u8 reserved_at_48[0x18]; ++ u8 flex_parser_0[0x20]; ++}; ++ + struct mlx5_ifc_ste_flex_parser_tnl_bits { + u8 flex_parser_tunneling_header_63_32[0x20]; + +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -372,7 +372,8 @@ struct mlx5_ifc_flow_table_fields_suppor + u8 reserved_at_37[0x9]; + + u8 geneve_tlv_option_0_data[0x1]; +- u8 reserved_at_41[0x4]; ++ u8 geneve_tlv_option_0_exist[0x1]; ++ u8 reserved_at_42[0x3]; + u8 outer_first_mpls_over_udp[0x4]; + u8 outer_first_mpls_over_gre[0x4]; + u8 inner_first_mpls[0x4]; +@@ -543,7 +544,8 @@ struct mlx5_ifc_fte_match_set_misc_bits + u8 reserved_at_b8[0x8]; + + u8 geneve_vni[0x18]; +- u8 reserved_at_d8[0x7]; ++ u8 reserved_at_d8[0x6]; ++ u8 geneve_tlv_option_0_exist[0x1]; + u8 geneve_oam[0x1]; + + u8 reserved_at_e0[0xc]; diff --git a/SPECS/kernel-hci/0054-net-mlx5-DR-Improve-steering-for-empty-or-RX-TX-only.patch b/SPECS/kernel-hci/0054-net-mlx5-DR-Improve-steering-for-empty-or-RX-TX-only.patch new file mode 100644 index 00000000000..c58ff87aa59 --- /dev/null +++ b/SPECS/kernel-hci/0054-net-mlx5-DR-Improve-steering-for-empty-or-RX-TX-only.patch @@ -0,0 +1,523 @@ +From f363d07801195963a692b33075d15b5f71fbfa5e Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Thu, 14 Oct 2021 02:34:00 +0300 +Subject: [PATCH 46/58] net/mlx5: DR, Improve steering for empty or RX/TX-only + matchers + +Every matcher has RX and TX paths. When a new matcher is created, its RX +and TX start/end anchors are connected to the respective RX and TX anchors +of the previous and next matchers. +This creates a potential performance issue: when a certain rule is added +to a matcher, in many cases it is RX or TX only rule, which may create a +long chain of RX/TX-only paths w/o the actual rules. + +This patch aims to handle this issue. + +RX and TX matchers are now handled separately: matcher connection in the +matchers chain is split into two separate lists: RX only and TX only. +when a new matcher is created, it is initially created 'detached' - its +RX/TX members are not inserted into the table's matcher list. +When an actual rule is added, only its appropriate RX or TX nic matchers +are then added to the table's nic matchers list and inserted into its +place in the chain of matchers. +I.e., if the rule that is being added is an RX-only rule, only the RX +part of the matcher will be connected to the chain, while TX part of the +matcher remains detached and doesn't prolong the TX chain of the matchers. + +Same goes for rule deletion: when the last RX/TX rule of the nic matcher +is destroyed, the nic matcher is removed from its list. + +Signed-off-by: Yevgeny Kliteynik +Change-Id: Ib66c2c13d6ebd1b145056e8f101d337d429607fe +--- + .../mellanox/mlx5/core/steering/dr_matcher.c | 160 +++++++++--------- + .../mellanox/mlx5/core/steering/dr_rule.c | 28 ++- + .../mellanox/mlx5/core/steering/dr_table.c | 89 +++++----- + .../mellanox/mlx5/core/steering/dr_types.h | 9 + + 4 files changed, 156 insertions(+), 130 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c +index eed1e0853494..38971fe1dfe1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c +@@ -671,10 +671,10 @@ static int dr_matcher_set_ste_builders(struct mlx5dr_matcher *matcher, + return 0; + } + +-static int dr_matcher_connect(struct mlx5dr_domain *dmn, +- struct mlx5dr_matcher_rx_tx *curr_nic_matcher, +- struct mlx5dr_matcher_rx_tx *next_nic_matcher, +- struct mlx5dr_matcher_rx_tx *prev_nic_matcher) ++static int dr_nic_matcher_connect(struct mlx5dr_domain *dmn, ++ struct mlx5dr_matcher_rx_tx *curr_nic_matcher, ++ struct mlx5dr_matcher_rx_tx *next_nic_matcher, ++ struct mlx5dr_matcher_rx_tx *prev_nic_matcher) + { + struct mlx5dr_table_rx_tx *nic_tbl = curr_nic_matcher->nic_tbl; + struct mlx5dr_domain_rx_tx *nic_dmn = nic_tbl->nic_dmn; +@@ -730,58 +730,50 @@ static int dr_matcher_connect(struct mlx5dr_domain *dmn, + return 0; + } + +-static int dr_matcher_add_to_tbl(struct mlx5dr_matcher *matcher) ++int mlx5dr_matcher_add_to_tbl_nic(struct mlx5dr_domain *dmn, ++ struct mlx5dr_matcher_rx_tx *nic_matcher) + { +- struct mlx5dr_matcher *next_matcher, *prev_matcher, *tmp_matcher; +- struct mlx5dr_table *tbl = matcher->tbl; +- struct mlx5dr_domain *dmn = tbl->dmn; ++ struct mlx5dr_matcher_rx_tx *next_nic_matcher, *prev_nic_matcher, *tmp_nic_matcher; ++ struct mlx5dr_table_rx_tx *nic_tbl = nic_matcher->nic_tbl; + bool first = true; + int ret; + +- next_matcher = NULL; +- list_for_each_entry(tmp_matcher, &tbl->matcher_list, list_node) { +- if (tmp_matcher->prio >= matcher->prio) { +- next_matcher = tmp_matcher; ++ /* If the nic matcher is already on its parent nic table list, ++ * then it is already connected to the chain of nic matchers. ++ */ ++ if (!list_empty(&nic_matcher->list_node)) ++ return 0; ++ ++ next_nic_matcher = NULL; ++ list_for_each_entry(tmp_nic_matcher, &nic_tbl->nic_matcher_list, list_node) { ++ if (tmp_nic_matcher->prio >= nic_matcher->prio) { ++ next_nic_matcher = tmp_nic_matcher; + break; + } + first = false; + } + +- prev_matcher = NULL; +- if (next_matcher && !first) +- prev_matcher = list_prev_entry(next_matcher, list_node); ++ prev_nic_matcher = NULL; ++ if (next_nic_matcher && !first) ++ prev_nic_matcher = list_prev_entry(next_nic_matcher, list_node); + else if (!first) +- prev_matcher = list_last_entry(&tbl->matcher_list, +- struct mlx5dr_matcher, +- list_node); +- +- if (dmn->type == MLX5DR_DOMAIN_TYPE_FDB || +- dmn->type == MLX5DR_DOMAIN_TYPE_NIC_RX) { +- ret = dr_matcher_connect(dmn, &matcher->rx, +- next_matcher ? &next_matcher->rx : NULL, +- prev_matcher ? &prev_matcher->rx : NULL); +- if (ret) +- return ret; +- } ++ prev_nic_matcher = list_last_entry(&nic_tbl->nic_matcher_list, ++ struct mlx5dr_matcher_rx_tx, ++ list_node); + +- if (dmn->type == MLX5DR_DOMAIN_TYPE_FDB || +- dmn->type == MLX5DR_DOMAIN_TYPE_NIC_TX) { +- ret = dr_matcher_connect(dmn, &matcher->tx, +- next_matcher ? &next_matcher->tx : NULL, +- prev_matcher ? &prev_matcher->tx : NULL); +- if (ret) +- return ret; +- } ++ ret = dr_nic_matcher_connect(dmn, nic_matcher, ++ next_nic_matcher, prev_nic_matcher); ++ if (ret) ++ return ret; + +- if (prev_matcher) +- list_add(&matcher->list_node, &prev_matcher->list_node); +- else if (next_matcher) +- list_add_tail(&matcher->list_node, +- &next_matcher->list_node); ++ if (prev_nic_matcher) ++ list_add(&nic_matcher->list_node, &prev_nic_matcher->list_node); ++ else if (next_nic_matcher) ++ list_add_tail(&nic_matcher->list_node, &next_nic_matcher->list_node); + else +- list_add(&matcher->list_node, &tbl->matcher_list); ++ list_add(&nic_matcher->list_node, &nic_matcher->nic_tbl->nic_matcher_list); + +- return 0; ++ return ret; + } + + static void dr_matcher_uninit_nic(struct mlx5dr_matcher_rx_tx *nic_matcher) +@@ -840,6 +832,9 @@ static int dr_matcher_init_nic(struct mlx5dr_matcher *matcher, + struct mlx5dr_domain *dmn = matcher->tbl->dmn; + int ret; + ++ nic_matcher->prio = matcher->prio; ++ INIT_LIST_HEAD(&nic_matcher->list_node); ++ + ret = dr_matcher_set_all_ste_builders(matcher, nic_matcher); + if (ret) + return ret; +@@ -967,6 +962,20 @@ static int dr_matcher_init(struct mlx5dr_matcher *matcher, + return ret; + } + ++static void dr_matcher_add_to_dbg_list(struct mlx5dr_matcher *matcher) ++{ ++ mutex_lock(&matcher->tbl->dmn->dump_info.dbg_mutex); ++ list_add(&matcher->list_node, &matcher->tbl->matcher_list); ++ mutex_unlock(&matcher->tbl->dmn->dump_info.dbg_mutex); ++} ++ ++static void dr_matcher_remove_from_dbg_list(struct mlx5dr_matcher *matcher) ++{ ++ mutex_lock(&matcher->tbl->dmn->dump_info.dbg_mutex); ++ list_del(&matcher->list_node); ++ mutex_unlock(&matcher->tbl->dmn->dump_info.dbg_mutex); ++} ++ + struct mlx5dr_matcher * + mlx5dr_matcher_create(struct mlx5dr_table *tbl, + u32 priority, +@@ -995,16 +1004,12 @@ mlx5dr_matcher_create(struct mlx5dr_table *tbl, + if (ret) + goto free_matcher; + +- ret = dr_matcher_add_to_tbl(matcher); +- if (ret) +- goto matcher_uninit; ++ dr_matcher_add_to_dbg_list(matcher); + + mlx5dr_domain_unlock(tbl->dmn); + + return matcher; + +-matcher_uninit: +- dr_matcher_uninit(matcher); + free_matcher: + mlx5dr_domain_unlock(tbl->dmn); + kfree(matcher); +@@ -1013,10 +1018,10 @@ mlx5dr_matcher_create(struct mlx5dr_table *tbl, + return NULL; + } + +-static int dr_matcher_disconnect(struct mlx5dr_domain *dmn, +- struct mlx5dr_table_rx_tx *nic_tbl, +- struct mlx5dr_matcher_rx_tx *next_nic_matcher, +- struct mlx5dr_matcher_rx_tx *prev_nic_matcher) ++static int dr_matcher_disconnect_nic(struct mlx5dr_domain *dmn, ++ struct mlx5dr_table_rx_tx *nic_tbl, ++ struct mlx5dr_matcher_rx_tx *next_nic_matcher, ++ struct mlx5dr_matcher_rx_tx *prev_nic_matcher) + { + struct mlx5dr_domain_rx_tx *nic_dmn = nic_tbl->nic_dmn; + struct mlx5dr_htbl_connect_info info; +@@ -1043,43 +1048,34 @@ static int dr_matcher_disconnect(struct mlx5dr_domain *dmn, + &info, true); + } + +-static int dr_matcher_remove_from_tbl(struct mlx5dr_matcher *matcher) ++int mlx5dr_matcher_remove_from_tbl_nic(struct mlx5dr_domain *dmn, ++ struct mlx5dr_matcher_rx_tx *nic_matcher) + { +- struct mlx5dr_matcher *prev_matcher, *next_matcher; +- struct mlx5dr_table *tbl = matcher->tbl; +- struct mlx5dr_domain *dmn = tbl->dmn; +- int ret = 0; ++ struct mlx5dr_matcher_rx_tx *prev_nic_matcher, *next_nic_matcher; ++ struct mlx5dr_table_rx_tx *nic_tbl = nic_matcher->nic_tbl; ++ int ret; + +- if (list_is_last(&matcher->list_node, &tbl->matcher_list)) +- next_matcher = NULL; +- else +- next_matcher = list_next_entry(matcher, list_node); ++ /* If the nic matcher is not on its parent nic table list, ++ * then it is detached - no need to disconnect it. ++ */ ++ if (list_empty(&nic_matcher->list_node)) ++ return 0; + +- if (matcher->list_node.prev == &tbl->matcher_list) +- prev_matcher = NULL; ++ if (list_is_last(&nic_matcher->list_node, &nic_tbl->nic_matcher_list)) ++ next_nic_matcher = NULL; + else +- prev_matcher = list_prev_entry(matcher, list_node); +- +- if (dmn->type == MLX5DR_DOMAIN_TYPE_FDB || +- dmn->type == MLX5DR_DOMAIN_TYPE_NIC_RX) { +- ret = dr_matcher_disconnect(dmn, &tbl->rx, +- next_matcher ? &next_matcher->rx : NULL, +- prev_matcher ? &prev_matcher->rx : NULL); +- if (ret) +- return ret; +- } ++ next_nic_matcher = list_next_entry(nic_matcher, list_node); + +- if (dmn->type == MLX5DR_DOMAIN_TYPE_FDB || +- dmn->type == MLX5DR_DOMAIN_TYPE_NIC_TX) { +- ret = dr_matcher_disconnect(dmn, &tbl->tx, +- next_matcher ? &next_matcher->tx : NULL, +- prev_matcher ? &prev_matcher->tx : NULL); +- if (ret) +- return ret; +- } ++ if (nic_matcher->list_node.prev == &nic_tbl->nic_matcher_list) ++ prev_nic_matcher = NULL; ++ else ++ prev_nic_matcher = list_prev_entry(nic_matcher, list_node); + +- list_del(&matcher->list_node); ++ ret = dr_matcher_disconnect_nic(dmn, nic_tbl, next_nic_matcher, prev_nic_matcher); ++ if (ret) ++ return ret; + ++ list_del_init(&nic_matcher->list_node); + return 0; + } + +@@ -1092,7 +1088,7 @@ int mlx5dr_matcher_destroy(struct mlx5dr_matcher *matcher) + + mlx5dr_domain_lock(tbl->dmn); + +- dr_matcher_remove_from_tbl(matcher); ++ dr_matcher_remove_from_dbg_list(matcher); + dr_matcher_uninit(matcher); + refcount_dec(&matcher->tbl->refcount); + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c +index 43e7fe85cbc7..b4374578425b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c +@@ -990,8 +990,20 @@ static bool dr_rule_verify(struct mlx5dr_matcher *matcher, + static int dr_rule_destroy_rule_nic(struct mlx5dr_rule *rule, + struct mlx5dr_rule_rx_tx *nic_rule) + { ++ /* Check if this nic rule was actually created, or was it skipped ++ * and only the other type of the RX/TX nic rule was created. ++ */ ++ if (!nic_rule->last_rule_ste) ++ return 0; ++ + mlx5dr_domain_nic_lock(nic_rule->nic_matcher->nic_tbl->nic_dmn); + dr_rule_clean_rule_members(rule, nic_rule); ++ ++ nic_rule->nic_matcher->rules--; ++ if (!nic_rule->nic_matcher->rules) ++ mlx5dr_matcher_remove_from_tbl_nic(rule->matcher->tbl->dmn, ++ nic_rule->nic_matcher); ++ + mlx5dr_domain_nic_unlock(nic_rule->nic_matcher->nic_tbl->nic_dmn); + + return 0; +@@ -1098,24 +1110,28 @@ dr_rule_create_rule_nic(struct mlx5dr_rule *rule, + + mlx5dr_domain_nic_lock(nic_dmn); + ++ ret = mlx5dr_matcher_add_to_tbl_nic(dmn, nic_matcher); ++ if (ret) ++ goto free_hw_ste; ++ + ret = mlx5dr_matcher_select_builders(matcher, + nic_matcher, + dr_rule_get_ipv(¶m->outer), + dr_rule_get_ipv(¶m->inner)); + if (ret) +- goto free_hw_ste; ++ goto remove_from_nic_tbl; + + /* Set the tag values inside the ste array */ + ret = mlx5dr_ste_build_ste_arr(matcher, nic_matcher, param, hw_ste_arr); + if (ret) +- goto free_hw_ste; ++ goto remove_from_nic_tbl; + + /* Set the actions values/addresses inside the ste array */ + ret = mlx5dr_actions_build_ste_arr(matcher, nic_matcher, actions, + num_actions, hw_ste_arr, + &new_hw_ste_arr_sz); + if (ret) +- goto free_hw_ste; ++ goto remove_from_nic_tbl; + + cur_htbl = nic_matcher->s_htbl; + +@@ -1162,6 +1178,8 @@ dr_rule_create_rule_nic(struct mlx5dr_rule *rule, + if (htbl) + mlx5dr_htbl_put(htbl); + ++ nic_matcher->rules++; ++ + mlx5dr_domain_nic_unlock(nic_dmn); + + kfree(hw_ste_arr); +@@ -1175,6 +1193,10 @@ dr_rule_create_rule_nic(struct mlx5dr_rule *rule, + list_del(&ste_info->send_list); + kfree(ste_info); + } ++ ++remove_from_nic_tbl: ++ mlx5dr_matcher_remove_from_tbl_nic(dmn, nic_matcher); ++ + free_hw_ste: + mlx5dr_domain_nic_unlock(nic_dmn); + kfree(hw_ste_arr); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c +index 1d6b43a52c58..8ca110643cc0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c +@@ -3,69 +3,66 @@ + + #include "dr_types.h" + +-int mlx5dr_table_set_miss_action(struct mlx5dr_table *tbl, +- struct mlx5dr_action *action) ++static int dr_table_set_miss_action_nic(struct mlx5dr_domain *dmn, ++ struct mlx5dr_table_rx_tx *nic_tbl, ++ struct mlx5dr_action *action) + { +- struct mlx5dr_matcher *last_matcher = NULL; ++ struct mlx5dr_matcher_rx_tx *last_nic_matcher = NULL; + struct mlx5dr_htbl_connect_info info; + struct mlx5dr_ste_htbl *last_htbl; + int ret; + ++ if (!list_empty(&nic_tbl->nic_matcher_list)) ++ last_nic_matcher = list_last_entry(&nic_tbl->nic_matcher_list, ++ struct mlx5dr_matcher_rx_tx, ++ list_node); ++ ++ if (last_nic_matcher) ++ last_htbl = last_nic_matcher->e_anchor; ++ else ++ last_htbl = nic_tbl->s_anchor; ++ ++ if (action) ++ nic_tbl->default_icm_addr = ++ nic_tbl->nic_dmn->type == DR_DOMAIN_NIC_TYPE_RX ? ++ action->dest_tbl->tbl->rx.s_anchor->chunk->icm_addr : ++ action->dest_tbl->tbl->tx.s_anchor->chunk->icm_addr; ++ else ++ nic_tbl->default_icm_addr = nic_tbl->nic_dmn->default_icm_addr; ++ ++ info.type = CONNECT_MISS; ++ info.miss_icm_addr = nic_tbl->default_icm_addr; ++ ++ ret = mlx5dr_ste_htbl_init_and_postsend(dmn, nic_tbl->nic_dmn, ++ last_htbl, &info, true); ++ if (ret) ++ mlx5dr_dbg(dmn, "Failed to set NIC RX/TX miss action, ret %d\n", ret); ++ ++ return ret; ++} ++ ++int mlx5dr_table_set_miss_action(struct mlx5dr_table *tbl, ++ struct mlx5dr_action *action) ++{ ++ int ret; ++ + if (action && action->action_type != DR_ACTION_TYP_FT) + return -EOPNOTSUPP; + + mlx5dr_domain_lock(tbl->dmn); + +- if (!list_empty(&tbl->matcher_list)) +- last_matcher = list_last_entry(&tbl->matcher_list, +- struct mlx5dr_matcher, +- list_node); +- + if (tbl->dmn->type == MLX5DR_DOMAIN_TYPE_NIC_RX || + tbl->dmn->type == MLX5DR_DOMAIN_TYPE_FDB) { +- if (last_matcher) +- last_htbl = last_matcher->rx.e_anchor; +- else +- last_htbl = tbl->rx.s_anchor; +- +- tbl->rx.default_icm_addr = action ? +- action->dest_tbl->tbl->rx.s_anchor->chunk->icm_addr : +- tbl->rx.nic_dmn->default_icm_addr; +- +- info.type = CONNECT_MISS; +- info.miss_icm_addr = tbl->rx.default_icm_addr; +- +- ret = mlx5dr_ste_htbl_init_and_postsend(tbl->dmn, +- tbl->rx.nic_dmn, +- last_htbl, +- &info, true); +- if (ret) { +- mlx5dr_dbg(tbl->dmn, "Failed to set RX miss action, ret %d\n", ret); ++ ret = dr_table_set_miss_action_nic(tbl->dmn, &tbl->rx, action); ++ if (ret) + goto out; +- } + } + + if (tbl->dmn->type == MLX5DR_DOMAIN_TYPE_NIC_TX || + tbl->dmn->type == MLX5DR_DOMAIN_TYPE_FDB) { +- if (last_matcher) +- last_htbl = last_matcher->tx.e_anchor; +- else +- last_htbl = tbl->tx.s_anchor; +- +- tbl->tx.default_icm_addr = action ? +- action->dest_tbl->tbl->tx.s_anchor->chunk->icm_addr : +- tbl->tx.nic_dmn->default_icm_addr; +- +- info.type = CONNECT_MISS; +- info.miss_icm_addr = tbl->tx.default_icm_addr; +- +- ret = mlx5dr_ste_htbl_init_and_postsend(tbl->dmn, +- tbl->tx.nic_dmn, +- last_htbl, &info, true); +- if (ret) { +- mlx5dr_dbg(tbl->dmn, "Failed to set TX miss action, ret %d\n", ret); ++ ret = dr_table_set_miss_action_nic(tbl->dmn, &tbl->tx, action); ++ if (ret) + goto out; +- } + } + + /* Release old action */ +@@ -122,6 +119,8 @@ static int dr_table_init_nic(struct mlx5dr_domain *dmn, + struct mlx5dr_htbl_connect_info info; + int ret; + ++ INIT_LIST_HEAD(&nic_tbl->nic_matcher_list); ++ + nic_tbl->default_icm_addr = nic_dmn->default_icm_addr; + + nic_tbl->s_anchor = mlx5dr_ste_htbl_alloc(dmn->ste_icm_pool, +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +index 5abd94be7fb9..41f8972435e6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +@@ -928,6 +928,7 @@ struct mlx5dr_table_rx_tx { + struct mlx5dr_ste_htbl *s_anchor; + struct mlx5dr_domain_rx_tx *nic_dmn; + u64 default_icm_addr; ++ struct list_head nic_matcher_list; + }; + + struct mlx5dr_table { +@@ -955,6 +956,9 @@ struct mlx5dr_matcher_rx_tx { + u8 num_of_builders_arr[DR_RULE_IPV_MAX][DR_RULE_IPV_MAX]; + u64 default_icm_addr; + struct mlx5dr_table_rx_tx *nic_tbl; ++ u32 prio; ++ struct list_head list_node; ++ u32 rules; + }; + + struct mlx5dr_matcher { +@@ -1136,6 +1140,11 @@ static inline void mlx5dr_domain_unlock(struct mlx5dr_domain *dmn) + mlx5dr_domain_nic_unlock(&dmn->info.rx); + } + ++int mlx5dr_matcher_add_to_tbl_nic(struct mlx5dr_domain *dmn, ++ struct mlx5dr_matcher_rx_tx *nic_matcher); ++int mlx5dr_matcher_remove_from_tbl_nic(struct mlx5dr_domain *dmn, ++ struct mlx5dr_matcher_rx_tx *nic_matcher); ++ + int mlx5dr_matcher_select_builders(struct mlx5dr_matcher *matcher, + struct mlx5dr_matcher_rx_tx *nic_matcher, + enum mlx5dr_ipv outer_ipv, +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0055-net-mlx5-DR-Ignore-modify-TTL-if-device-doesn-t-supp.patch b/SPECS/kernel-hci/0055-net-mlx5-DR-Ignore-modify-TTL-if-device-doesn-t-supp.patch new file mode 100644 index 00000000000..4f03356d5b8 --- /dev/null +++ b/SPECS/kernel-hci/0055-net-mlx5-DR-Ignore-modify-TTL-if-device-doesn-t-supp.patch @@ -0,0 +1,89 @@ +From 2a277856df73b483e869dc82f9a9ffbfc632a0d5 Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Tue, 23 Nov 2021 02:11:12 +0200 +Subject: [PATCH 47/58] net/mlx5: DR, Ignore modify TTL if device doesn't + support it + +When modifying TTL, packet's csum has to be recalculated. +Due to HW issue in ConnectX-5, csum recalculation for modify TTL +is supported through a work-around that is specifically enabled +by configuration. +If the work-around isn't enabled, ignore the modify TTL action +rather than adding an unsupported action. + +Signed-off-by: Yevgeny Kliteynik +Change-Id: I1a400b4ffb5b8cbbdccc442571619420fec6a1a4 +--- + .../mellanox/mlx5/core/steering/dr_action.c | 21 ++++++++++++++++--- + include/linux/mlx5/mlx5_ifc.h | 2 +- + 2 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +index 22782777a339..579b632fe4c5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +@@ -1557,6 +1557,12 @@ dr_action_modify_check_is_ttl_modify(const void *sw_action) + return sw_field == MLX5_ACTION_IN_FIELD_OUT_IP_TTL; + } + ++static bool dr_action_modify_ttl_ignore(struct mlx5dr_domain *dmn) ++{ ++ return !mlx5dr_ste_supp_ttl_cs_recalc(&dmn->info.caps) && ++ !MLX5_CAP_ESW_FLOWTABLE(dmn->mdev, fdb_ipv4_ttl_modify); ++} ++ + static int dr_actions_convert_modify_header(struct mlx5dr_action *action, + u32 max_hw_actions, + u32 num_sw_actions, +@@ -1588,8 +1594,13 @@ static int dr_actions_convert_modify_header(struct mlx5dr_action *action, + if (ret) + return ret; + +- if (!(*modify_ttl)) +- *modify_ttl = dr_action_modify_check_is_ttl_modify(sw_action); ++ if (!(*modify_ttl) && ++ dr_action_modify_check_is_ttl_modify(sw_action)) { ++ if (dr_action_modify_ttl_ignore(dmn)) ++ continue; ++ ++ *modify_ttl = true; ++ } + + /* Convert SW action to HW action */ + ret = dr_action_modify_sw_to_hw(dmn, +@@ -1628,7 +1639,7 @@ static int dr_actions_convert_modify_header(struct mlx5dr_action *action, + * modify actions doesn't exceeds the limit + */ + hw_idx++; +- if ((num_sw_actions + hw_idx - i) >= max_hw_actions) { ++ if (hw_idx >= max_hw_actions) { + mlx5dr_dbg(dmn, "Modify header action number exceeds HW limit\n"); + return -EINVAL; + } +@@ -1639,6 +1650,10 @@ static int dr_actions_convert_modify_header(struct mlx5dr_action *action, + hw_idx++; + } + ++ /* if the resulting HW actions list is empty, add NOP action */ ++ if (!hw_idx) ++ hw_idx++; ++ + *num_hw_actions = hw_idx; + + return 0; +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h +index d6fd4bca8a17..03351bc3072b 100644 +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -817,7 +817,7 @@ struct mlx5_ifc_flow_table_eswitch_cap_bits { + u8 fdb_to_vport_reg_c_id[0x8]; + u8 reserved_at_8[0xd]; + u8 fdb_modify_header_fwd_to_table[0x1]; +- u8 reserved_at_16[0x1]; ++ u8 fdb_ipv4_ttl_modify[0x1]; + u8 flow_source[0x1]; + u8 reserved_at_18[0x2]; + u8 multi_fdb_encap[0x1]; +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0056-net-mlx5-Add-ability-to-insert-to-specific-flow-grou.patch b/SPECS/kernel-hci/0056-net-mlx5-Add-ability-to-insert-to-specific-flow-grou.patch new file mode 100644 index 00000000000..4568eb5a298 --- /dev/null +++ b/SPECS/kernel-hci/0056-net-mlx5-Add-ability-to-insert-to-specific-flow-grou.patch @@ -0,0 +1,74 @@ +From c2c922dae77f36e24d246c6e310cee0c61afc6fb Mon Sep 17 00:00:00 2001 +From: Mark Bloch +Date: Mon, 29 Nov 2021 16:24:28 +0200 +Subject: [PATCH 100/107] net/mlx5: Add ability to insert to specific flow + group + +If the flow table isn't an autogroup the upper driver has to create the +flow groups explicitly. This information can't later be used when +creating rules to insert into a specific flow group. Allow such use case. + +Signed-off-by: Mark Bloch +Reviewed-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 9 ++++++++- + include/linux/mlx5/fs.h | 1 + + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index b628917e38e4..ebb7960ec62b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -1696,6 +1696,7 @@ static void free_match_list(struct match_list *head, bool ft_locked) + static int build_match_list(struct match_list *match_head, + struct mlx5_flow_table *ft, + const struct mlx5_flow_spec *spec, ++ struct mlx5_flow_group *fg, + bool ft_locked) + { + struct rhlist_head *tmp, *list; +@@ -1710,6 +1711,9 @@ static int build_match_list(struct match_list *match_head, + rhl_for_each_entry_rcu(g, tmp, list, hash) { + struct match_list *curr_match; + ++ if (fg && fg != g) ++ continue; ++ + if (unlikely(!tree_get_node(&g->node))) + continue; + +@@ -1889,6 +1893,9 @@ _mlx5_add_flow_rules(struct mlx5_flow_table *ft, + if (!check_valid_spec(spec)) + return ERR_PTR(-EINVAL); + ++ if (flow_act->fg && ft->autogroup.active) ++ return ERR_PTR(-EINVAL); ++ + for (i = 0; i < dest_num; i++) { + if (!dest_is_valid(&dest[i], flow_act, ft)) + return ERR_PTR(-EINVAL); +@@ -1898,7 +1905,7 @@ _mlx5_add_flow_rules(struct mlx5_flow_table *ft, + version = atomic_read(&ft->node.version); + + /* Collect all fgs which has a matching match_criteria */ +- err = build_match_list(&match_head, ft, spec, take_write); ++ err = build_match_list(&match_head, ft, spec, flow_act->fg, take_write); + if (err) { + if (take_write) + up_write_ref_node(&ft->node, false); +diff --git a/include/linux/mlx5/fs.h b/include/linux/mlx5/fs.h +index b1aad14689e3..e3bfed68b08a 100644 +--- a/include/linux/mlx5/fs.h ++++ b/include/linux/mlx5/fs.h +@@ -224,6 +224,7 @@ struct mlx5_flow_act { + u32 flags; + struct mlx5_fs_vlan vlan[MLX5_FS_VLAN_DEPTH]; + struct ib_counters *counters; ++ struct mlx5_flow_group *fg; + }; + + #define MLX5_DECLARE_FLOW_ACT(name) \ +-- +2.33.2 + diff --git a/SPECS/kernel-hci/0057-net-mlx5-E-Switch-reserve-and-use-same-uplink-metada.patch b/SPECS/kernel-hci/0057-net-mlx5-E-Switch-reserve-and-use-same-uplink-metada.patch new file mode 100644 index 00000000000..ac095cb7380 --- /dev/null +++ b/SPECS/kernel-hci/0057-net-mlx5-E-Switch-reserve-and-use-same-uplink-metada.patch @@ -0,0 +1,90 @@ +From 0b0ea3c5b1c087b20ee3edb8f0846bce5f08a807 Mon Sep 17 00:00:00 2001 +From: Sunil Rani +Date: Wed, 10 Mar 2021 00:53:39 +0200 +Subject: [PATCH 101/107] net/mlx5: E-Switch, reserve and use same uplink metadata across ports + +When in switchdev mode wire traffic will hit the FDB in one of two +scenarios. + +- Shared FDB, in that case traffic from both physical ports should be + tagged by the same metadata value so a single FDB rule could catch + traffic from both ports. + +- Two E-Switches, traffic from each physical port will hit the native + E-Switch which means traffic from one physical port can't reach the + E-Switch of the other one. + +Looking at those two scenarios it means we can always use the same metadata +value to tag wire traffic regardless of the mode. + +Reserve a single metadata value to be used to tag wire traffic. + +Signed-off-by: Sunil Rani +Signed-off-by: Saeed Mahameed +--- + .../mellanox/mlx5/core/eswitch_offloads.c | 28 +++++++++++++++++-- + 1 file changed, 25 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +index 9a7b25692505..efaf3be73a7b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -2845,6 +2845,19 @@ bool mlx5_esw_vport_match_metadata_supported(const struct mlx5_eswitch *esw) + return true; + } + ++#define MLX5_ESW_METADATA_RSVD_UPLINK 1 ++ ++/* Share the same metadata for uplink's. This is fine because: ++ * (a) In shared FDB mode (LAG) both uplink's are treated the ++ * same and tagged with the same metadata. ++ * (b) In non shared FDB mode, packets from physical port0 ++ * cannot hit eswitch of PF1 and vice versa. ++ */ ++static u32 mlx5_esw_match_metadata_reserved(struct mlx5_eswitch *esw) ++{ ++ return MLX5_ESW_METADATA_RSVD_UPLINK; ++} ++ + u32 mlx5_esw_match_metadata_alloc(struct mlx5_eswitch *esw) + { + u32 vport_end_ida = (1 << ESW_VPORT_BITS) - 1; +@@ -2859,8 +2872,10 @@ u32 mlx5_esw_match_metadata_alloc(struct mlx5_eswitch *esw) + return 0; + + /* Metadata is 4 bits of PFNUM and 12 bits of unique id */ +- /* Use only non-zero vport_id (1-4095) for all PF's */ +- id = ida_alloc_range(&esw->offloads.vport_metadata_ida, 1, vport_end_ida, GFP_KERNEL); ++ /* Use only non-zero vport_id (2-4095) for all PF's */ ++ id = ida_alloc_range(&esw->offloads.vport_metadata_ida, ++ MLX5_ESW_METADATA_RSVD_UPLINK + 1, ++ vport_end_ida, GFP_KERNEL); + if (id < 0) + return 0; + id = (pf_num << ESW_VPORT_BITS) | id; +@@ -2878,7 +2893,11 @@ void mlx5_esw_match_metadata_free(struct mlx5_eswitch *esw, u32 metadata) + static int esw_offloads_vport_metadata_setup(struct mlx5_eswitch *esw, + struct mlx5_vport *vport) + { +- vport->default_metadata = mlx5_esw_match_metadata_alloc(esw); ++ if (vport->vport == MLX5_VPORT_UPLINK) ++ vport->default_metadata = mlx5_esw_match_metadata_reserved(esw); ++ else ++ vport->default_metadata = mlx5_esw_match_metadata_alloc(esw); ++ + vport->metadata = vport->default_metadata; + return vport->metadata ? 0 : -ENOSPC; + } +@@ -2889,6 +2908,9 @@ static void esw_offloads_vport_metadata_cleanup(struct mlx5_eswitch *esw, + if (!vport->default_metadata) + return; + ++ if (vport->vport == MLX5_VPORT_UPLINK) ++ return; ++ + WARN_ON(vport->metadata != vport->default_metadata); + mlx5_esw_match_metadata_free(esw, vport->default_metadata); + } +-- +2.33.2 + diff --git a/SPECS/kernel-hci/0058-net-mlx5-E-switch-remove-special-uplink-ingress-ACL-.patch b/SPECS/kernel-hci/0058-net-mlx5-E-switch-remove-special-uplink-ingress-ACL-.patch new file mode 100644 index 00000000000..0d12e1ca5b9 --- /dev/null +++ b/SPECS/kernel-hci/0058-net-mlx5-E-switch-remove-special-uplink-ingress-ACL-.patch @@ -0,0 +1,119 @@ +From 82e86a6c7109e0beed1828304b7d62ce2e597444 Mon Sep 17 00:00:00 2001 +From: Mark Bloch +Date: Mon, 29 Nov 2021 07:57:14 +0000 +Subject: [PATCH 102/107] net/mlx5: E-switch, remove special uplink ingress ACL + handling + +As both uplinks set the same metadata there is no need to merge +the ACL handling of both into a single one. + +Signed-off-by: Mark Bloch +Reviewed-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +--- + .../mellanox/mlx5/core/eswitch_offloads.c | 65 +------------------ + 1 file changed, 1 insertion(+), 64 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +index efaf3be73a7b..f65231e579bb 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -2378,60 +2378,6 @@ void esw_offloads_unload_rep(struct mlx5_eswitch *esw, u16 vport_num) + mlx5_esw_offloads_devlink_port_unregister(esw, vport_num); + } + +-static int esw_set_uplink_slave_ingress_root(struct mlx5_core_dev *master, +- struct mlx5_core_dev *slave) +-{ +- u32 in[MLX5_ST_SZ_DW(set_flow_table_root_in)] = {}; +- u32 out[MLX5_ST_SZ_DW(set_flow_table_root_out)] = {}; +- struct mlx5_eswitch *esw; +- struct mlx5_flow_root_namespace *root; +- struct mlx5_flow_namespace *ns; +- struct mlx5_vport *vport; +- int err; +- +- MLX5_SET(set_flow_table_root_in, in, opcode, +- MLX5_CMD_OP_SET_FLOW_TABLE_ROOT); +- MLX5_SET(set_flow_table_root_in, in, table_type, FS_FT_ESW_INGRESS_ACL); +- MLX5_SET(set_flow_table_root_in, in, other_vport, 1); +- MLX5_SET(set_flow_table_root_in, in, vport_number, MLX5_VPORT_UPLINK); +- +- if (master) { +- esw = master->priv.eswitch; +- vport = mlx5_eswitch_get_vport(esw, MLX5_VPORT_UPLINK); +- MLX5_SET(set_flow_table_root_in, in, table_of_other_vport, 1); +- MLX5_SET(set_flow_table_root_in, in, table_vport_number, +- MLX5_VPORT_UPLINK); +- +- ns = mlx5_get_flow_vport_acl_namespace(master, +- MLX5_FLOW_NAMESPACE_ESW_INGRESS, +- vport->index); +- root = find_root(&ns->node); +- mutex_lock(&root->chain_lock); +- +- MLX5_SET(set_flow_table_root_in, in, +- table_eswitch_owner_vhca_id_valid, 1); +- MLX5_SET(set_flow_table_root_in, in, +- table_eswitch_owner_vhca_id, +- MLX5_CAP_GEN(master, vhca_id)); +- MLX5_SET(set_flow_table_root_in, in, table_id, +- root->root_ft->id); +- } else { +- esw = slave->priv.eswitch; +- vport = mlx5_eswitch_get_vport(esw, MLX5_VPORT_UPLINK); +- ns = mlx5_get_flow_vport_acl_namespace(slave, +- MLX5_FLOW_NAMESPACE_ESW_INGRESS, +- vport->index); +- root = find_root(&ns->node); +- mutex_lock(&root->chain_lock); +- MLX5_SET(set_flow_table_root_in, in, table_id, root->root_ft->id); +- } +- +- err = mlx5_cmd_exec(slave, in, sizeof(in), out, sizeof(out)); +- mutex_unlock(&root->chain_lock); +- +- return err; +-} +- + static int esw_set_slave_root_fdb(struct mlx5_core_dev *master, + struct mlx5_core_dev *slave) + { +@@ -2613,15 +2559,10 @@ int mlx5_eswitch_offloads_config_single_fdb(struct mlx5_eswitch *master_esw, + { + int err; + +- err = esw_set_uplink_slave_ingress_root(master_esw->dev, +- slave_esw->dev); +- if (err) +- return -EINVAL; +- + err = esw_set_slave_root_fdb(master_esw->dev, + slave_esw->dev); + if (err) +- goto err_fdb; ++ return err; + + err = esw_set_master_egress_rule(master_esw->dev, + slave_esw->dev); +@@ -2633,9 +2574,6 @@ int mlx5_eswitch_offloads_config_single_fdb(struct mlx5_eswitch *master_esw, + err_acl: + esw_set_slave_root_fdb(NULL, slave_esw->dev); + +-err_fdb: +- esw_set_uplink_slave_ingress_root(NULL, slave_esw->dev); +- + return err; + } + +@@ -2644,7 +2582,6 @@ void mlx5_eswitch_offloads_destroy_single_fdb(struct mlx5_eswitch *master_esw, + { + esw_unset_master_egress_rule(master_esw->dev); + esw_set_slave_root_fdb(NULL, slave_esw->dev); +- esw_set_uplink_slave_ingress_root(NULL, slave_esw->dev); + } + + #define ESW_OFFLOADS_DEVCOM_PAIR (0) +-- +2.33.2 + diff --git a/SPECS/kernel-hci/0059-net-mlx5-E-switch-add-drop-rule-support-to-ingress-A.patch b/SPECS/kernel-hci/0059-net-mlx5-E-switch-add-drop-rule-support-to-ingress-A.patch new file mode 100644 index 00000000000..bcb4877bddc --- /dev/null +++ b/SPECS/kernel-hci/0059-net-mlx5-E-switch-add-drop-rule-support-to-ingress-A.patch @@ -0,0 +1,219 @@ +From 1749c4c51c16e3e078faae0a876d01bafb187a74 Mon Sep 17 00:00:00 2001 +From: Mark Bloch +Date: Mon, 29 Nov 2021 09:23:51 +0000 +Subject: [PATCH 103/107] net/mlx5: E-switch, add drop rule support to ingress + ACL + +Support inserting an ingress ACL drop rule on the uplink in +switchdev mode. This will be used by downstream patches to offload +active-backup lag mode. The drop rule (if created) is the first rule +in the ACL. + +Signed-off-by: Mark Bloch +Reviewed-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +--- + .../mellanox/mlx5/core/esw/acl/ingress_ofld.c | 87 +++++++++++++++++++ + .../mellanox/mlx5/core/esw/acl/ofld.h | 15 ++++ + .../net/ethernet/mellanox/mlx5/core/eswitch.h | 3 + + 3 files changed, 105 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c +index 39e948bc1204..a994e71e05c1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c +@@ -92,6 +92,7 @@ static int esw_acl_ingress_mod_metadata_create(struct mlx5_eswitch *esw, + + flow_act.action = MLX5_FLOW_CONTEXT_ACTION_MOD_HDR | MLX5_FLOW_CONTEXT_ACTION_ALLOW; + flow_act.modify_hdr = vport->ingress.offloads.modify_metadata; ++ flow_act.fg = vport->ingress.offloads.metadata_allmatch_grp; + vport->ingress.offloads.modify_metadata_rule = + mlx5_add_flow_rules(vport->ingress.acl, + NULL, &flow_act, NULL, 0); +@@ -117,6 +118,36 @@ static void esw_acl_ingress_mod_metadata_destroy(struct mlx5_eswitch *esw, + vport->ingress.offloads.modify_metadata_rule = NULL; + } + ++static int esw_acl_ingress_src_port_drop_create(struct mlx5_eswitch *esw, ++ struct mlx5_vport *vport) ++{ ++ struct mlx5_flow_act flow_act = {}; ++ struct mlx5_flow_handle *flow_rule; ++ int err = 0; ++ ++ flow_act.action = MLX5_FLOW_CONTEXT_ACTION_DROP; ++ flow_act.fg = vport->ingress.offloads.drop_grp; ++ flow_rule = mlx5_add_flow_rules(vport->ingress.acl, NULL, &flow_act, NULL, 0); ++ if (IS_ERR(flow_rule)) { ++ err = PTR_ERR(flow_rule); ++ goto out; ++ } ++ ++ vport->ingress.offloads.drop_rule = flow_rule; ++out: ++ return err; ++} ++ ++static void esw_acl_ingress_src_port_drop_destroy(struct mlx5_eswitch *esw, ++ struct mlx5_vport *vport) ++{ ++ if (!vport->ingress.offloads.drop_rule) ++ return; ++ ++ mlx5_del_flow_rules(vport->ingress.offloads.drop_rule); ++ vport->ingress.offloads.drop_rule = NULL; ++} ++ + static int esw_acl_ingress_ofld_rules_create(struct mlx5_eswitch *esw, + struct mlx5_vport *vport) + { +@@ -154,6 +185,7 @@ static void esw_acl_ingress_ofld_rules_destroy(struct mlx5_eswitch *esw, + { + esw_acl_ingress_allow_rule_destroy(vport); + esw_acl_ingress_mod_metadata_destroy(esw, vport); ++ esw_acl_ingress_src_port_drop_destroy(esw, vport); + } + + static int esw_acl_ingress_ofld_groups_create(struct mlx5_eswitch *esw, +@@ -170,10 +202,29 @@ static int esw_acl_ingress_ofld_groups_create(struct mlx5_eswitch *esw, + if (!flow_group_in) + return -ENOMEM; + ++ if (vport->vport == MLX5_VPORT_UPLINK) { ++ /* This group can hold an FTE to drop all traffic. ++ * Need in case LAG is enabled. ++ */ ++ MLX5_SET(create_flow_group_in, flow_group_in, start_flow_index, flow_index); ++ MLX5_SET(create_flow_group_in, flow_group_in, end_flow_index, flow_index); ++ ++ g = mlx5_create_flow_group(vport->ingress.acl, flow_group_in); ++ if (IS_ERR(g)) { ++ ret = PTR_ERR(g); ++ esw_warn(esw->dev, "vport[%d] ingress create drop flow group, err(%d)\n", ++ vport->vport, ret); ++ goto drop_err; ++ } ++ vport->ingress.offloads.drop_grp = g; ++ flow_index++; ++ } ++ + if (esw_acl_ingress_prio_tag_enabled(esw, vport)) { + /* This group is to hold FTE to match untagged packets when prio_tag + * is enabled. + */ ++ memset(flow_group_in, 0, inlen); + match_criteria = MLX5_ADDR_OF(create_flow_group_in, + flow_group_in, match_criteria); + MLX5_SET(create_flow_group_in, flow_group_in, +@@ -221,6 +272,11 @@ static int esw_acl_ingress_ofld_groups_create(struct mlx5_eswitch *esw, + vport->ingress.offloads.metadata_prio_tag_grp = NULL; + } + prio_tag_err: ++ if (!IS_ERR_OR_NULL(vport->ingress.offloads.drop_grp)) { ++ mlx5_destroy_flow_group(vport->ingress.offloads.drop_grp); ++ vport->ingress.offloads.drop_grp = NULL; ++ } ++drop_err: + kvfree(flow_group_in); + return ret; + } +@@ -236,6 +292,11 @@ static void esw_acl_ingress_ofld_groups_destroy(struct mlx5_vport *vport) + mlx5_destroy_flow_group(vport->ingress.offloads.metadata_prio_tag_grp); + vport->ingress.offloads.metadata_prio_tag_grp = NULL; + } ++ ++ if (vport->ingress.offloads.drop_grp) { ++ mlx5_destroy_flow_group(vport->ingress.offloads.drop_grp); ++ vport->ingress.offloads.drop_grp = NULL; ++ } + } + + int esw_acl_ingress_ofld_setup(struct mlx5_eswitch *esw, +@@ -252,6 +313,8 @@ int esw_acl_ingress_ofld_setup(struct mlx5_eswitch *esw, + + if (mlx5_eswitch_vport_match_metadata_enabled(esw)) + num_ftes++; ++ if (vport->vport == MLX5_VPORT_UPLINK) ++ num_ftes++; + if (esw_acl_ingress_prio_tag_enabled(esw, vport)) + num_ftes++; + +@@ -320,3 +383,27 @@ int mlx5_esw_acl_ingress_vport_bond_update(struct mlx5_eswitch *esw, u16 vport_n + vport->metadata = vport->default_metadata; + return err; + } ++ ++int mlx5_esw_acl_ingress_vport_drop_rule_create(struct mlx5_eswitch *esw, u16 vport_num) ++{ ++ struct mlx5_vport *vport = mlx5_eswitch_get_vport(esw, vport_num); ++ ++ if (IS_ERR(vport)) { ++ esw_warn(esw->dev, "vport(%d) invalid!\n", vport_num); ++ return PTR_ERR(vport); ++ } ++ ++ return esw_acl_ingress_src_port_drop_create(esw, vport); ++} ++ ++void mlx5_esw_acl_ingress_vport_drop_rule_destroy(struct mlx5_eswitch *esw, u16 vport_num) ++{ ++ struct mlx5_vport *vport = mlx5_eswitch_get_vport(esw, vport_num); ++ ++ if (WARN_ON_ONCE(IS_ERR(vport))) { ++ esw_warn(esw->dev, "vport(%d) invalid!\n", vport_num); ++ return; ++ } ++ ++ esw_acl_ingress_src_port_drop_destroy(esw, vport); ++} +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ofld.h b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ofld.h +index c57869b93d60..11d3d3978848 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ofld.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ofld.h +@@ -6,6 +6,7 @@ + + #include "eswitch.h" + ++#ifdef CONFIG_MLX5_ESWITCH + /* Eswitch acl egress external APIs */ + int esw_acl_egress_ofld_setup(struct mlx5_eswitch *esw, struct mlx5_vport *vport); + void esw_acl_egress_ofld_cleanup(struct mlx5_vport *vport); +@@ -25,5 +26,19 @@ int esw_acl_ingress_ofld_setup(struct mlx5_eswitch *esw, struct mlx5_vport *vpor + void esw_acl_ingress_ofld_cleanup(struct mlx5_eswitch *esw, struct mlx5_vport *vport); + int mlx5_esw_acl_ingress_vport_bond_update(struct mlx5_eswitch *esw, u16 vport_num, + u32 metadata); ++void mlx5_esw_acl_ingress_vport_drop_rule_destroy(struct mlx5_eswitch *esw, u16 vport_num); ++int mlx5_esw_acl_ingress_vport_drop_rule_create(struct mlx5_eswitch *esw, u16 vport_num); + ++#else /* CONFIG_MLX5_ESWITCH */ ++static void ++mlx5_esw_acl_ingress_vport_drop_rule_destroy(struct mlx5_eswitch *esw, ++ u16 vport_num) ++{} ++ ++static int mlx5_esw_acl_ingress_vport_drop_rule_create(struct mlx5_eswitch *esw, ++ u16 vport_num) ++{ ++ return 0; ++} ++#endif /* CONFIG_MLX5_ESWITCH */ + #endif /* __MLX5_ESWITCH_ACL_OFLD_H__ */ +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +index ead5e8acc8be..1d01e6ee6ef1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +@@ -113,8 +113,11 @@ struct vport_ingress { + * packet with metadata. + */ + struct mlx5_flow_group *metadata_allmatch_grp; ++ /* Optional group to add a drop all rule */ ++ struct mlx5_flow_group *drop_grp; + struct mlx5_modify_hdr *modify_metadata; + struct mlx5_flow_handle *modify_metadata_rule; ++ struct mlx5_flow_handle *drop_rule; + } offloads; + }; + +-- +2.33.2 + diff --git a/SPECS/kernel-hci/0060-net-mlx5-Lag-use-local-variable-already-defined-to-a.patch b/SPECS/kernel-hci/0060-net-mlx5-Lag-use-local-variable-already-defined-to-a.patch new file mode 100644 index 00000000000..ab5031cca9c --- /dev/null +++ b/SPECS/kernel-hci/0060-net-mlx5-Lag-use-local-variable-already-defined-to-a.patch @@ -0,0 +1,42 @@ +From 9278287e8d9e30b6bf6e3bd29ac387d789b8ce7f Mon Sep 17 00:00:00 2001 +From: Mark Bloch +Date: Thu, 20 Jan 2022 08:52:16 +0000 +Subject: [PATCH 104/107] net/mlx5: Lag, use local variable already defined to + access E-Switch + +Use the local variable for dev0 (and add from dev1) instead of using +the devices stored in the ldev structure. Makes the code easier +to read. + +Signed-off-by: Mark Bloch +Signed-off-by: Saeed Mahameed +--- + drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +index 4ddf6b330a44..0758a98a08d1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +@@ -347,6 +347,7 @@ int mlx5_activate_lag(struct mlx5_lag *ldev, + static int mlx5_deactivate_lag(struct mlx5_lag *ldev) + { + struct mlx5_core_dev *dev0 = ldev->pf[MLX5_LAG_P1].dev; ++ struct mlx5_core_dev *dev1 = ldev->pf[MLX5_LAG_P2].dev; + u32 in[MLX5_ST_SZ_DW(destroy_lag_in)] = {}; + bool roce_lag = __mlx5_lag_is_roce(ldev); + u8 flags = ldev->flags; +@@ -356,8 +357,8 @@ static int mlx5_deactivate_lag(struct mlx5_lag *ldev) + mlx5_lag_mp_reset(ldev); + + if (ldev->shared_fdb) { +- mlx5_eswitch_offloads_destroy_single_fdb(ldev->pf[MLX5_LAG_P1].dev->priv.eswitch, +- ldev->pf[MLX5_LAG_P2].dev->priv.eswitch); ++ mlx5_eswitch_offloads_destroy_single_fdb(dev0->priv.eswitch, ++ dev1->priv.eswitch); + ldev->shared_fdb = false; + } + +-- +2.33.2 + diff --git a/SPECS/kernel-hci/0061-net-mlx5-Lag-don-t-use-magic-numbers-for-ports.patch b/SPECS/kernel-hci/0061-net-mlx5-Lag-don-t-use-magic-numbers-for-ports.patch new file mode 100644 index 00000000000..72f8d5221eb --- /dev/null +++ b/SPECS/kernel-hci/0061-net-mlx5-Lag-don-t-use-magic-numbers-for-ports.patch @@ -0,0 +1,53 @@ +From 4f4551435ce000a47cd4f331af7b67e962f5f6f4 Mon Sep 17 00:00:00 2001 +From: Mark Bloch +Date: Mon, 29 Nov 2021 09:24:49 +0000 +Subject: [PATCH 105/107] net/mlx5: Lag, don't use magic numbers for ports + +Instead of using 1 & 2 as the ports numbers use an enum value. + +Signed-off-by: Mark Bloch +Reviewed-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +--- + drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +index 0758a98a08d1..05e8cbece095 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +@@ -40,6 +40,11 @@ + #include "lag.h" + #include "mp.h" + ++enum { ++ MLX5_LAG_EGRESS_PORT_1 = 1, ++ MLX5_LAG_EGRESS_PORT_2, ++}; ++ + /* General purpose, use for short periods of time. + * Beware of lock dependencies (preferably, no locks should be acquired + * under it). +@@ -193,15 +198,15 @@ static void mlx5_infer_tx_affinity_mapping(struct lag_tracker *tracker, + p2en = tracker->netdev_state[MLX5_LAG_P2].tx_enabled && + tracker->netdev_state[MLX5_LAG_P2].link_up; + +- *port1 = 1; +- *port2 = 2; ++ *port1 = MLX5_LAG_EGRESS_PORT_1; ++ *port2 = MLX5_LAG_EGRESS_PORT_2; + if ((!p1en && !p2en) || (p1en && p2en)) + return; + + if (p1en) +- *port2 = 1; ++ *port2 = MLX5_LAG_EGRESS_PORT_1; + else +- *port1 = 2; ++ *port1 = MLX5_LAG_EGRESS_PORT_2; + } + + static int _mlx5_modify_lag(struct mlx5_lag *ldev, u8 v2p_port1, u8 v2p_port2) +-- +2.33.2 + diff --git a/SPECS/kernel-hci/0062-net-mlx5-Lag-record-inactive-state-of-bond-device.patch b/SPECS/kernel-hci/0062-net-mlx5-Lag-record-inactive-state-of-bond-device.patch new file mode 100644 index 00000000000..00a6f25aac7 --- /dev/null +++ b/SPECS/kernel-hci/0062-net-mlx5-Lag-record-inactive-state-of-bond-device.patch @@ -0,0 +1,156 @@ +From 54493a08e21f46446b3b24577c5a6f229d049757 Mon Sep 17 00:00:00 2001 +From: Mark Bloch +Date: Wed, 12 Jan 2022 14:31:36 +0000 +Subject: [PATCH 106/107] net/mlx5: Lag, record inactive state of bond device + +A bond device will drop duplicate packets (received on inactive ports) +by default. A flag (all_slaves_active) can be set to override such +behaviour. This flag is a global flag per bond device (ALB mode isn't +supported by mlx5 driver so it can be ignored) + +When NETDEV_CHANGEUPPER / NETDEV_CHANGEINFODATA event is received check if +there is an interface that is inactive. + +Downstream patch will use this information in order to decide if a drop +rule is needed. + +Signed-off-by: Mark Bloch +Reviewed-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +--- + .../net/ethernet/mellanox/mlx5/core/lag/lag.c | 49 ++++++++++++++++++- + .../net/ethernet/mellanox/mlx5/core/lag/lag.h | 1 + + .../net/ethernet/mellanox/mlx5/core/lag/mp.c | 2 +- + 3 files changed, 49 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +index 05e8cbece095..125ac4befd74 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +@@ -31,6 +31,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -619,6 +620,8 @@ static int mlx5_handle_changeupper_event(struct mlx5_lag *ldev, + struct net_device *upper = info->upper_dev, *ndev_tmp; + struct netdev_lag_upper_info *lag_upper_info = NULL; + bool is_bonded, is_in_lag, mode_supported; ++ bool has_inactive = 0; ++ struct slave *slave; + int bond_status = 0; + int num_slaves = 0; + int changed = 0; +@@ -638,8 +641,12 @@ static int mlx5_handle_changeupper_event(struct mlx5_lag *ldev, + rcu_read_lock(); + for_each_netdev_in_bond_rcu(upper, ndev_tmp) { + idx = mlx5_lag_dev_get_netdev_idx(ldev, ndev_tmp); +- if (idx >= 0) ++ if (idx >= 0) { ++ slave = bond_slave_get_rcu(ndev_tmp); ++ if (slave) ++ has_inactive |= bond_is_slave_inactive(slave); + bond_status |= (1 << idx); ++ } + + num_slaves++; + } +@@ -654,6 +661,7 @@ static int mlx5_handle_changeupper_event(struct mlx5_lag *ldev, + tracker->hash_type = lag_upper_info->hash_type; + } + ++ tracker->has_inactive = has_inactive; + /* Determine bonding status: + * A device is considered bonded if both its physical ports are slaves + * of the same lag master, and only them. +@@ -710,6 +718,38 @@ static int mlx5_handle_changelowerstate_event(struct mlx5_lag *ldev, + return 1; + } + ++static int mlx5_handle_changeinfodata_event(struct mlx5_lag *ldev, ++ struct lag_tracker *tracker, ++ struct net_device *ndev) ++{ ++ struct net_device *ndev_tmp; ++ struct slave *slave; ++ bool has_inactive = 0; ++ int idx; ++ ++ if (!netif_is_lag_master(ndev)) ++ return 0; ++ ++ rcu_read_lock(); ++ for_each_netdev_in_bond_rcu(ndev, ndev_tmp) { ++ idx = mlx5_lag_dev_get_netdev_idx(ldev, ndev_tmp); ++ if (idx < 0) ++ continue; ++ ++ slave = bond_slave_get_rcu(ndev_tmp); ++ if (slave) ++ has_inactive |= bond_is_slave_inactive(slave); ++ } ++ rcu_read_unlock(); ++ ++ if (tracker->has_inactive == has_inactive) ++ return 0; ++ ++ tracker->has_inactive = has_inactive; ++ ++ return 1; ++} ++ + static int mlx5_lag_netdev_event(struct notifier_block *this, + unsigned long event, void *ptr) + { +@@ -718,7 +758,9 @@ static int mlx5_lag_netdev_event(struct notifier_block *this, + struct mlx5_lag *ldev; + int changed = 0; + +- if ((event != NETDEV_CHANGEUPPER) && (event != NETDEV_CHANGELOWERSTATE)) ++ if (event != NETDEV_CHANGEUPPER && ++ event != NETDEV_CHANGELOWERSTATE && ++ event != NETDEV_CHANGEINFODATA) + return NOTIFY_DONE; + + ldev = container_of(this, struct mlx5_lag, nb); +@@ -734,6 +776,9 @@ static int mlx5_lag_netdev_event(struct notifier_block *this, + changed = mlx5_handle_changelowerstate_event(ldev, &tracker, + ndev, ptr); + break; ++ case NETDEV_CHANGEINFODATA: ++ changed = mlx5_handle_changeinfodata_event(ldev, &tracker, ndev); ++ break; + } + + ldev->tracker = tracker; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h +index e5d231c31b54..305d9adbe325 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h +@@ -35,6 +35,7 @@ struct lag_tracker { + enum netdev_lag_tx_type tx_type; + struct netdev_lag_lower_state_info netdev_state[MLX5_MAX_PORTS]; + unsigned int is_bonded:1; ++ unsigned int has_inactive:1; + enum netdev_lag_hash hash_type; + }; + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c +index 1ca01a5b6cdd..4213208d9ef7 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c +@@ -50,7 +50,7 @@ bool mlx5_lag_is_multipath(struct mlx5_core_dev *dev) + static void mlx5_lag_set_port_affinity(struct mlx5_lag *ldev, + enum mlx5_lag_port_affinity port) + { +- struct lag_tracker tracker; ++ struct lag_tracker tracker = {}; + + if (!__mlx5_lag_is_multipath(ldev)) + return; +-- +2.33.2 + diff --git a/SPECS/kernel-hci/0063-net-mlx5-Lag-offload-active-backup-drops-to-hardware.patch b/SPECS/kernel-hci/0063-net-mlx5-Lag-offload-active-backup-drops-to-hardware.patch new file mode 100644 index 00000000000..84c58c63e78 --- /dev/null +++ b/SPECS/kernel-hci/0063-net-mlx5-Lag-offload-active-backup-drops-to-hardware.patch @@ -0,0 +1,153 @@ +From 6cb87869adbe6b1b92e1f415076a605256e267c8 Mon Sep 17 00:00:00 2001 +From: Mark Bloch +Date: Mon, 29 Nov 2021 09:25:03 +0000 +Subject: [PATCH 107/107] net/mlx5: Lag, offload active-backup drops to + hardware + +In active-backup mode the backup interface's packets are dropped by the +bond device. In switchdev where TC rules are offloaded to the FDB +this can lead to packets being hit in the FDB where without offload +they would have been dropped before reaching TC rules in the kernel. + +Create a drop rule to make sure packets on inactive ports are dropped +before reaching the FDB. + +Signed-off-by: Mark Bloch +Reviewed-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +--- + .../net/ethernet/mellanox/mlx5/core/lag/lag.c | 75 ++++++++++++++++++- + .../net/ethernet/mellanox/mlx5/core/lag/lag.h | 1 + + 2 files changed, 73 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +index 125ac4befd74..6cad3b72c133 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +@@ -38,6 +38,7 @@ + #include "lib/devcom.h" + #include "mlx5_core.h" + #include "eswitch.h" ++#include "esw/acl/ofld.h" + #include "lag.h" + #include "mp.h" + +@@ -210,6 +211,62 @@ static void mlx5_infer_tx_affinity_mapping(struct lag_tracker *tracker, + *port1 = MLX5_LAG_EGRESS_PORT_2; + } + ++static bool mlx5_lag_has_drop_rule(struct mlx5_lag *ldev) ++{ ++ return ldev->pf[MLX5_LAG_P1].has_drop || ldev->pf[MLX5_LAG_P2].has_drop; ++} ++ ++static void mlx5_lag_drop_rule_cleanup(struct mlx5_lag *ldev) ++{ ++ int i; ++ ++ for (i = 0; i < MLX5_MAX_PORTS; i++) { ++ if (!ldev->pf[i].has_drop) ++ continue; ++ ++ mlx5_esw_acl_ingress_vport_drop_rule_destroy(ldev->pf[i].dev->priv.eswitch, ++ MLX5_VPORT_UPLINK); ++ ldev->pf[i].has_drop = false; ++ } ++} ++ ++static void mlx5_lag_drop_rule_setup(struct mlx5_lag *ldev, ++ struct lag_tracker *tracker) ++{ ++ struct mlx5_core_dev *dev0 = ldev->pf[MLX5_LAG_P1].dev; ++ struct mlx5_core_dev *dev1 = ldev->pf[MLX5_LAG_P2].dev; ++ struct mlx5_core_dev *inactive; ++ u8 v2p_port1, v2p_port2; ++ int inactive_idx; ++ int err; ++ ++ /* First delete the current drop rule so there won't be any dropped ++ * packets ++ */ ++ mlx5_lag_drop_rule_cleanup(ldev); ++ ++ if (!ldev->tracker.has_inactive) ++ return; ++ ++ mlx5_infer_tx_affinity_mapping(tracker, &v2p_port1, &v2p_port2); ++ ++ if (v2p_port1 == MLX5_LAG_EGRESS_PORT_1) { ++ inactive = dev1; ++ inactive_idx = MLX5_LAG_P2; ++ } else { ++ inactive = dev0; ++ inactive_idx = MLX5_LAG_P1; ++ } ++ ++ err = mlx5_esw_acl_ingress_vport_drop_rule_create(inactive->priv.eswitch, ++ MLX5_VPORT_UPLINK); ++ if (!err) ++ ldev->pf[inactive_idx].has_drop = true; ++ else ++ mlx5_core_err(inactive, ++ "Failed to create lag drop rule, error: %d", err); ++} ++ + static int _mlx5_modify_lag(struct mlx5_lag *ldev, u8 v2p_port1, u8 v2p_port2) + { + struct mlx5_core_dev *dev0 = ldev->pf[MLX5_LAG_P1].dev; +@@ -244,6 +301,10 @@ void mlx5_modify_lag(struct mlx5_lag *ldev, + ldev->v2p_map[MLX5_LAG_P1], + ldev->v2p_map[MLX5_LAG_P2]); + } ++ ++ if (tracker->tx_type == NETDEV_LAG_TX_TYPE_ACTIVEBACKUP && ++ !(ldev->flags & MLX5_LAG_FLAG_ROCE)) ++ mlx5_lag_drop_rule_setup(ldev, tracker); + } + + static void mlx5_lag_set_port_sel_mode(struct mlx5_lag *ldev, +@@ -345,6 +406,10 @@ int mlx5_activate_lag(struct mlx5_lag *ldev, + return err; + } + ++ if (tracker->tx_type == NETDEV_LAG_TX_TYPE_ACTIVEBACKUP && ++ !roce_lag) ++ mlx5_lag_drop_rule_setup(ldev, tracker); ++ + ldev->flags |= flags; + ldev->shared_fdb = shared_fdb; + return 0; +@@ -379,11 +444,15 @@ static int mlx5_deactivate_lag(struct mlx5_lag *ldev) + "Failed to deactivate VF LAG; driver restart required\n" + "Make sure all VFs are unbound prior to VF LAG activation or deactivation\n"); + } +- } else if (flags & MLX5_LAG_FLAG_HASH_BASED) { +- mlx5_lag_port_sel_destroy(ldev); ++ return err; + } + +- return err; ++ if (flags & MLX5_LAG_FLAG_HASH_BASED) ++ mlx5_lag_port_sel_destroy(ldev); ++ if (mlx5_lag_has_drop_rule(ldev)) ++ mlx5_lag_drop_rule_cleanup(ldev); ++ ++ return 0; + } + + static bool mlx5_lag_check_prereq(struct mlx5_lag *ldev) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h +index 305d9adbe325..cbf9a9003e55 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h +@@ -28,6 +28,7 @@ enum { + struct lag_func { + struct mlx5_core_dev *dev; + struct net_device *netdev; ++ bool has_drop; + }; + + /* Used for collection of netdev event info. */ +-- +2.33.2 + diff --git a/SPECS/kernel-hci/0064-net-mlx5-Add-mlx5_ifc-definitions-for-bridge-multica.patch b/SPECS/kernel-hci/0064-net-mlx5-Add-mlx5_ifc-definitions-for-bridge-multica.patch new file mode 100644 index 00000000000..4b39a7c0fac --- /dev/null +++ b/SPECS/kernel-hci/0064-net-mlx5-Add-mlx5_ifc-definitions-for-bridge-multica.patch @@ -0,0 +1,49 @@ +From fb80e4e6c85f562a200970838cd05c357f03c107 Mon Sep 17 00:00:00 2001 +From: Amir Tzin +Date: Mon, 29 May 2023 11:24:19 +0300 +Subject: [PATCH 49/58] net/mlx5: Add mlx5_ifc definitions for bridge multicast + support + +Upstream Status: v6.4-rc1 + +commit e5688f6fb9e3 ("net/mlx5: Add mlx5_ifc definitions for bridge multicast support") +Author: Vlad Buslov +Date: Wed Mar 1 10:33:55 2023 +0100 + + net/mlx5: Add mlx5_ifc definitions for bridge multicast support + + Add the required hardware definitions to mlx5_ifc: fdb_uplink_hairpin, + fdb_multi_path_any_table_limit_regc, fdb_multi_path_any_table. + + Signed-off-by: Vlad Buslov + Reviewed-by: Maor Dickman + Reviewed-by: Roi Dayan + Signed-off-by: Saeed Mahameed + +Change-Id: I4e1ec56242734b48f441f7d7abccecfc9ce8fa92 +Signed-off-by: Amir Tzin +--- + include/linux/mlx5/mlx5_ifc.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h +index 03351bc3072b..8ff583d940d3 100644 +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -815,7 +815,12 @@ enum { + + struct mlx5_ifc_flow_table_eswitch_cap_bits { + u8 fdb_to_vport_reg_c_id[0x8]; +- u8 reserved_at_8[0xd]; ++ u8 reserved_at_8[0x5]; ++ u8 fdb_uplink_hairpin[0x1]; ++ u8 fdb_multi_path_any_table_limit_regc[0x1]; ++ u8 reserved_at_f[0x3]; ++ u8 fdb_multi_path_any_table[0x1]; ++ u8 reserved_at_13[0x2]; + u8 fdb_modify_header_fwd_to_table[0x1]; + u8 fdb_ipv4_ttl_modify[0x1]; + u8 flow_source[0x1]; +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0065-net-mlx5-Bridge-increase-bridge-tables-sizes.patch b/SPECS/kernel-hci/0065-net-mlx5-Bridge-increase-bridge-tables-sizes.patch new file mode 100644 index 00000000000..684e6e49eb4 --- /dev/null +++ b/SPECS/kernel-hci/0065-net-mlx5-Bridge-increase-bridge-tables-sizes.patch @@ -0,0 +1,69 @@ +From 67654146d7f5db0281b91702de526ed60b6b0a69 Mon Sep 17 00:00:00 2001 +From: Amir Tzin +Date: Mon, 29 May 2023 11:24:20 +0300 +Subject: [PATCH 50/58] net/mlx5: Bridge, increase bridge tables sizes + +Upstream Status: v6.4-rc1 + +commit 9071b423c302 ("net/mlx5: Bridge, increase bridge tables sizes") +Author: Vlad Buslov +Date: Thu Jan 5 15:28:29 2023 +0100 + + net/mlx5: Bridge, increase bridge tables sizes + + Bridge ingress and egress tables got more flow groups recently for QinQ + support and will get more in following patches of this series. Increase the + sizes of the tables to allow offloading more flows in each mode. + + Signed-off-by: Vlad Buslov + Reviewed-by: Maor Dickman + Reviewed-by: Roi Dayan + Signed-off-by: Saeed Mahameed + +Change-Id: Ie13f22a3735c6d7025d0226bfb990f685467fa7b +Signed-off-by: Amir Tzin +--- + drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +index 3cdcb0e0b20f..e45f9bb80535 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +@@ -13,8 +13,8 @@ + #define CREATE_TRACE_POINTS + #include "diag/bridge_tracepoint.h" + +-#define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_SIZE 12000 +-#define MLX5_ESW_BRIDGE_INGRESS_TABLE_UNTAGGED_GRP_SIZE 16000 ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_SIZE 131072 ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_UNTAGGED_GRP_SIZE 524288 + #define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_IDX_FROM 0 + #define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_IDX_TO \ + (MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_SIZE - 1) +@@ -40,10 +40,10 @@ + MLX5_ESW_BRIDGE_INGRESS_TABLE_UNTAGGED_GRP_SIZE - 1) + #define MLX5_ESW_BRIDGE_INGRESS_TABLE_SIZE \ + (MLX5_ESW_BRIDGE_INGRESS_TABLE_MAC_GRP_IDX_TO + 1) +-static_assert(MLX5_ESW_BRIDGE_INGRESS_TABLE_SIZE == 64000); ++static_assert(MLX5_ESW_BRIDGE_INGRESS_TABLE_SIZE == 1048576); + +-#define MLX5_ESW_BRIDGE_EGRESS_TABLE_VLAN_GRP_SIZE 16000 +-#define MLX5_ESW_BRIDGE_EGRESS_TABLE_MAC_GRP_SIZE (32000 - 1) ++#define MLX5_ESW_BRIDGE_EGRESS_TABLE_VLAN_GRP_SIZE 131072 ++#define MLX5_ESW_BRIDGE_EGRESS_TABLE_MAC_GRP_SIZE (262144 - 1) + #define MLX5_ESW_BRIDGE_EGRESS_TABLE_VLAN_GRP_IDX_FROM 0 + #define MLX5_ESW_BRIDGE_EGRESS_TABLE_VLAN_GRP_IDX_TO \ + (MLX5_ESW_BRIDGE_EGRESS_TABLE_VLAN_GRP_SIZE - 1) +@@ -63,7 +63,7 @@ static_assert(MLX5_ESW_BRIDGE_INGRESS_TABLE_SIZE == 64000); + MLX5_ESW_BRIDGE_EGRESS_TABLE_MISS_GRP_IDX_FROM + #define MLX5_ESW_BRIDGE_EGRESS_TABLE_SIZE \ + (MLX5_ESW_BRIDGE_EGRESS_TABLE_MISS_GRP_IDX_TO + 1) +-static_assert(MLX5_ESW_BRIDGE_EGRESS_TABLE_SIZE == 64000); ++static_assert(MLX5_ESW_BRIDGE_EGRESS_TABLE_SIZE == 524288); + + #define MLX5_ESW_BRIDGE_SKIP_TABLE_SIZE 0 + +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0066-net-mlx5-Bridge-move-additional-data-structures-to-p.patch b/SPECS/kernel-hci/0066-net-mlx5-Bridge-move-additional-data-structures-to-p.patch new file mode 100644 index 00000000000..150b1fcdd78 --- /dev/null +++ b/SPECS/kernel-hci/0066-net-mlx5-Bridge-move-additional-data-structures-to-p.patch @@ -0,0 +1,238 @@ +From f42c18e89933cb62bbcbe75fd9591eb44c39728e Mon Sep 17 00:00:00 2001 +From: Amir Tzin +Date: Mon, 29 May 2023 11:24:20 +0300 +Subject: [PATCH 51/58] net/mlx5: Bridge, move additional data structures to + priv header + +Upstream Status: v6.4-rc1 + +commit 6767c97d7adc ("net/mlx5: Bridge, move additional data structures to priv header") +Author: Vlad Buslov +Date: Sun Feb 19 18:27:04 2023 +0100 + + net/mlx5: Bridge, move additional data structures to priv header + + Following patches in series will require accessing flow tables and groups + sizes, table levels and struct mlx5_esw_bridge from new the new source file + dedicated to multicast code. Expose these data in bridge_priv.h to reduce + clutter in following patches that will implement the actual functionality. + + Signed-off-by: Vlad Buslov + Reviewed-by: Maor Dickman + Reviewed-by: Roi Dayan + Signed-off-by: Saeed Mahameed + +Change-Id: I2ac7e6ac0d77f5d13e6e92498f86e9abe24c5955 +Signed-off-by: Amir Tzin +--- + .../ethernet/mellanox/mlx5/core/esw/bridge.c | 85 ------------------- + .../mellanox/mlx5/core/esw/bridge_priv.h | 85 +++++++++++++++++++ + 2 files changed, 85 insertions(+), 85 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +index e45f9bb80535..ec052fff7712 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +@@ -13,66 +13,6 @@ + #define CREATE_TRACE_POINTS + #include "diag/bridge_tracepoint.h" + +-#define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_SIZE 131072 +-#define MLX5_ESW_BRIDGE_INGRESS_TABLE_UNTAGGED_GRP_SIZE 524288 +-#define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_IDX_FROM 0 +-#define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_IDX_TO \ +- (MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_SIZE - 1) +-#define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_FILTER_GRP_IDX_FROM \ +- (MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_IDX_TO + 1) +-#define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_FILTER_GRP_IDX_TO \ +- (MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_FILTER_GRP_IDX_FROM + \ +- MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_SIZE - 1) +-#define MLX5_ESW_BRIDGE_INGRESS_TABLE_QINQ_GRP_IDX_FROM \ +- (MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_FILTER_GRP_IDX_TO + 1) +-#define MLX5_ESW_BRIDGE_INGRESS_TABLE_QINQ_GRP_IDX_TO \ +- (MLX5_ESW_BRIDGE_INGRESS_TABLE_QINQ_GRP_IDX_FROM + \ +- MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_SIZE - 1) +-#define MLX5_ESW_BRIDGE_INGRESS_TABLE_QINQ_FILTER_GRP_IDX_FROM \ +- (MLX5_ESW_BRIDGE_INGRESS_TABLE_QINQ_GRP_IDX_TO + 1) +-#define MLX5_ESW_BRIDGE_INGRESS_TABLE_QINQ_FILTER_GRP_IDX_TO \ +- (MLX5_ESW_BRIDGE_INGRESS_TABLE_QINQ_FILTER_GRP_IDX_FROM + \ +- MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_SIZE - 1) +-#define MLX5_ESW_BRIDGE_INGRESS_TABLE_MAC_GRP_IDX_FROM \ +- (MLX5_ESW_BRIDGE_INGRESS_TABLE_QINQ_FILTER_GRP_IDX_TO + 1) +-#define MLX5_ESW_BRIDGE_INGRESS_TABLE_MAC_GRP_IDX_TO \ +- (MLX5_ESW_BRIDGE_INGRESS_TABLE_MAC_GRP_IDX_FROM + \ +- MLX5_ESW_BRIDGE_INGRESS_TABLE_UNTAGGED_GRP_SIZE - 1) +-#define MLX5_ESW_BRIDGE_INGRESS_TABLE_SIZE \ +- (MLX5_ESW_BRIDGE_INGRESS_TABLE_MAC_GRP_IDX_TO + 1) +-static_assert(MLX5_ESW_BRIDGE_INGRESS_TABLE_SIZE == 1048576); +- +-#define MLX5_ESW_BRIDGE_EGRESS_TABLE_VLAN_GRP_SIZE 131072 +-#define MLX5_ESW_BRIDGE_EGRESS_TABLE_MAC_GRP_SIZE (262144 - 1) +-#define MLX5_ESW_BRIDGE_EGRESS_TABLE_VLAN_GRP_IDX_FROM 0 +-#define MLX5_ESW_BRIDGE_EGRESS_TABLE_VLAN_GRP_IDX_TO \ +- (MLX5_ESW_BRIDGE_EGRESS_TABLE_VLAN_GRP_SIZE - 1) +-#define MLX5_ESW_BRIDGE_EGRESS_TABLE_QINQ_GRP_IDX_FROM \ +- (MLX5_ESW_BRIDGE_EGRESS_TABLE_VLAN_GRP_IDX_TO + 1) +-#define MLX5_ESW_BRIDGE_EGRESS_TABLE_QINQ_GRP_IDX_TO \ +- (MLX5_ESW_BRIDGE_EGRESS_TABLE_QINQ_GRP_IDX_FROM + \ +- MLX5_ESW_BRIDGE_EGRESS_TABLE_VLAN_GRP_SIZE - 1) +-#define MLX5_ESW_BRIDGE_EGRESS_TABLE_MAC_GRP_IDX_FROM \ +- (MLX5_ESW_BRIDGE_EGRESS_TABLE_QINQ_GRP_IDX_TO + 1) +-#define MLX5_ESW_BRIDGE_EGRESS_TABLE_MAC_GRP_IDX_TO \ +- (MLX5_ESW_BRIDGE_EGRESS_TABLE_MAC_GRP_IDX_FROM + \ +- MLX5_ESW_BRIDGE_EGRESS_TABLE_MAC_GRP_SIZE - 1) +-#define MLX5_ESW_BRIDGE_EGRESS_TABLE_MISS_GRP_IDX_FROM \ +- (MLX5_ESW_BRIDGE_EGRESS_TABLE_MAC_GRP_IDX_TO + 1) +-#define MLX5_ESW_BRIDGE_EGRESS_TABLE_MISS_GRP_IDX_TO \ +- MLX5_ESW_BRIDGE_EGRESS_TABLE_MISS_GRP_IDX_FROM +-#define MLX5_ESW_BRIDGE_EGRESS_TABLE_SIZE \ +- (MLX5_ESW_BRIDGE_EGRESS_TABLE_MISS_GRP_IDX_TO + 1) +-static_assert(MLX5_ESW_BRIDGE_EGRESS_TABLE_SIZE == 524288); +- +-#define MLX5_ESW_BRIDGE_SKIP_TABLE_SIZE 0 +- +-enum { +- MLX5_ESW_BRIDGE_LEVEL_INGRESS_TABLE, +- MLX5_ESW_BRIDGE_LEVEL_EGRESS_TABLE, +- MLX5_ESW_BRIDGE_LEVEL_SKIP_TABLE, +-}; +- + static const struct rhashtable_params fdb_ht_params = { + .key_offset = offsetof(struct mlx5_esw_bridge_fdb_entry, key), + .key_len = sizeof(struct mlx5_esw_bridge_fdb_key), +@@ -80,31 +20,6 @@ static const struct rhashtable_params fdb_ht_params = { + .automatic_shrinking = true, + }; + +-enum { +- MLX5_ESW_BRIDGE_VLAN_FILTERING_FLAG = BIT(0), +-}; +- +-struct mlx5_esw_bridge { +- int ifindex; +- int refcnt; +- struct list_head list; +- struct mlx5_esw_bridge_offloads *br_offloads; +- +- struct list_head fdb_list; +- struct rhashtable fdb_ht; +- +- struct mlx5_flow_table *egress_ft; +- struct mlx5_flow_group *egress_vlan_fg; +- struct mlx5_flow_group *egress_qinq_fg; +- struct mlx5_flow_group *egress_mac_fg; +- struct mlx5_flow_group *egress_miss_fg; +- struct mlx5_pkt_reformat *egress_miss_pkt_reformat; +- struct mlx5_flow_handle *egress_miss_handle; +- unsigned long ageing_time; +- u32 flags; +- u16 vlan_proto; +-}; +- + static void + mlx5_esw_bridge_fdb_offload_notify(struct net_device *dev, const unsigned char *addr, u16 vid, + unsigned long val) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h +index 878311fe950a..b99761e73c1b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h +@@ -12,6 +12,70 @@ + #include + #include "fs_core.h" + ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_SIZE 131072 ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_UNTAGGED_GRP_SIZE 524288 ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_IDX_FROM 0 ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_IDX_TO \ ++ (MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_SIZE - 1) ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_FILTER_GRP_IDX_FROM \ ++ (MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_IDX_TO + 1) ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_FILTER_GRP_IDX_TO \ ++ (MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_FILTER_GRP_IDX_FROM + \ ++ MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_SIZE - 1) ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_QINQ_GRP_IDX_FROM \ ++ (MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_FILTER_GRP_IDX_TO + 1) ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_QINQ_GRP_IDX_TO \ ++ (MLX5_ESW_BRIDGE_INGRESS_TABLE_QINQ_GRP_IDX_FROM + \ ++ MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_SIZE - 1) ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_QINQ_FILTER_GRP_IDX_FROM \ ++ (MLX5_ESW_BRIDGE_INGRESS_TABLE_QINQ_GRP_IDX_TO + 1) ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_QINQ_FILTER_GRP_IDX_TO \ ++ (MLX5_ESW_BRIDGE_INGRESS_TABLE_QINQ_FILTER_GRP_IDX_FROM + \ ++ MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_SIZE - 1) ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_MAC_GRP_IDX_FROM \ ++ (MLX5_ESW_BRIDGE_INGRESS_TABLE_QINQ_FILTER_GRP_IDX_TO + 1) ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_MAC_GRP_IDX_TO \ ++ (MLX5_ESW_BRIDGE_INGRESS_TABLE_MAC_GRP_IDX_FROM + \ ++ MLX5_ESW_BRIDGE_INGRESS_TABLE_UNTAGGED_GRP_SIZE - 1) ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_SIZE \ ++ (MLX5_ESW_BRIDGE_INGRESS_TABLE_MAC_GRP_IDX_TO + 1) ++static_assert(MLX5_ESW_BRIDGE_INGRESS_TABLE_SIZE == 1048576); ++ ++#define MLX5_ESW_BRIDGE_EGRESS_TABLE_VLAN_GRP_SIZE 131072 ++#define MLX5_ESW_BRIDGE_EGRESS_TABLE_MAC_GRP_SIZE (262144 - 1) ++#define MLX5_ESW_BRIDGE_EGRESS_TABLE_VLAN_GRP_IDX_FROM 0 ++#define MLX5_ESW_BRIDGE_EGRESS_TABLE_VLAN_GRP_IDX_TO \ ++ (MLX5_ESW_BRIDGE_EGRESS_TABLE_VLAN_GRP_SIZE - 1) ++#define MLX5_ESW_BRIDGE_EGRESS_TABLE_QINQ_GRP_IDX_FROM \ ++ (MLX5_ESW_BRIDGE_EGRESS_TABLE_VLAN_GRP_IDX_TO + 1) ++#define MLX5_ESW_BRIDGE_EGRESS_TABLE_QINQ_GRP_IDX_TO \ ++ (MLX5_ESW_BRIDGE_EGRESS_TABLE_QINQ_GRP_IDX_FROM + \ ++ MLX5_ESW_BRIDGE_EGRESS_TABLE_VLAN_GRP_SIZE - 1) ++#define MLX5_ESW_BRIDGE_EGRESS_TABLE_MAC_GRP_IDX_FROM \ ++ (MLX5_ESW_BRIDGE_EGRESS_TABLE_QINQ_GRP_IDX_TO + 1) ++#define MLX5_ESW_BRIDGE_EGRESS_TABLE_MAC_GRP_IDX_TO \ ++ (MLX5_ESW_BRIDGE_EGRESS_TABLE_MAC_GRP_IDX_FROM + \ ++ MLX5_ESW_BRIDGE_EGRESS_TABLE_MAC_GRP_SIZE - 1) ++#define MLX5_ESW_BRIDGE_EGRESS_TABLE_MISS_GRP_IDX_FROM \ ++ (MLX5_ESW_BRIDGE_EGRESS_TABLE_MAC_GRP_IDX_TO + 1) ++#define MLX5_ESW_BRIDGE_EGRESS_TABLE_MISS_GRP_IDX_TO \ ++ MLX5_ESW_BRIDGE_EGRESS_TABLE_MISS_GRP_IDX_FROM ++#define MLX5_ESW_BRIDGE_EGRESS_TABLE_SIZE \ ++ (MLX5_ESW_BRIDGE_EGRESS_TABLE_MISS_GRP_IDX_TO + 1) ++static_assert(MLX5_ESW_BRIDGE_EGRESS_TABLE_SIZE == 524288); ++ ++#define MLX5_ESW_BRIDGE_SKIP_TABLE_SIZE 0 ++ ++enum { ++ MLX5_ESW_BRIDGE_LEVEL_INGRESS_TABLE, ++ MLX5_ESW_BRIDGE_LEVEL_EGRESS_TABLE, ++ MLX5_ESW_BRIDGE_LEVEL_SKIP_TABLE, ++}; ++ ++enum { ++ MLX5_ESW_BRIDGE_VLAN_FILTERING_FLAG = BIT(0), ++}; ++ + struct mlx5_esw_bridge_fdb_key { + unsigned char addr[ETH_ALEN]; + u16 vid; +@@ -60,4 +124,25 @@ struct mlx5_esw_bridge_port { + struct xarray vlans; + }; + ++struct mlx5_esw_bridge { ++ int ifindex; ++ int refcnt; ++ struct list_head list; ++ struct mlx5_esw_bridge_offloads *br_offloads; ++ ++ struct list_head fdb_list; ++ struct rhashtable fdb_ht; ++ ++ struct mlx5_flow_table *egress_ft; ++ struct mlx5_flow_group *egress_vlan_fg; ++ struct mlx5_flow_group *egress_qinq_fg; ++ struct mlx5_flow_group *egress_mac_fg; ++ struct mlx5_flow_group *egress_miss_fg; ++ struct mlx5_pkt_reformat *egress_miss_pkt_reformat; ++ struct mlx5_flow_handle *egress_miss_handle; ++ unsigned long ageing_time; ++ u32 flags; ++ u16 vlan_proto; ++}; ++ + #endif /* _MLX5_ESW_BRIDGE_PRIVATE_ */ +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0067-net-mlx5-Bridge-extract-code-to-lookup-parent-bridge.patch b/SPECS/kernel-hci/0067-net-mlx5-Bridge-extract-code-to-lookup-parent-bridge.patch new file mode 100644 index 00000000000..3476ddb112f --- /dev/null +++ b/SPECS/kernel-hci/0067-net-mlx5-Bridge-extract-code-to-lookup-parent-bridge.patch @@ -0,0 +1,148 @@ +From 23ad66f6f2475a534b11629e3b901e93cb8ae909 Mon Sep 17 00:00:00 2001 +From: Amir Tzin +Date: Mon, 29 May 2023 11:24:20 +0300 +Subject: [PATCH 52/58] net/mlx5: Bridge, extract code to lookup parent bridge + of port + +Upstream Status: v6.4-rc1 + +commit b99c4ef29e27 ("net/mlx5: Bridge, extract code to lookup parent bridge of port") +Author: Vlad Buslov +Date: Mon Mar 13 16:22:49 2023 +0100 + + net/mlx5: Bridge, extract code to lookup parent bridge of port + + The pattern when function looks up a port by vport_num+vhca_id tuple in + order to just obtain its parent bridge is repeated multiple times in + bridge.c file. Further commits in this series use the pattern even more. + Extract the pattern to standalone mlx5_esw_bridge_from_port_lookup() + function to improve code readability. + + This commits doesn't change functionality. + + Signed-off-by: Vlad Buslov + Reviewed-by: Maor Dickman + Reviewed-by: Roi Dayan + Signed-off-by: Saeed Mahameed + +Change-Id: I5b452a57d82dee8fe8828a81b4a5707899c3fa31 +Signed-off-by: Amir Tzin +--- + .../ethernet/mellanox/mlx5/core/esw/bridge.c | 47 ++++++++++--------- + 1 file changed, 26 insertions(+), 21 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +index ec052fff7712..bbbf982bbbc0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +@@ -933,6 +933,19 @@ static void mlx5_esw_bridge_port_erase(struct mlx5_esw_bridge_port *port, + xa_erase(&br_offloads->ports, mlx5_esw_bridge_port_key(port)); + } + ++static struct mlx5_esw_bridge * ++mlx5_esw_bridge_from_port_lookup(u16 vport_num, u16 esw_owner_vhca_id, ++ struct mlx5_esw_bridge_offloads *br_offloads) ++{ ++ struct mlx5_esw_bridge_port *port; ++ ++ port = mlx5_esw_bridge_port_lookup(vport_num, esw_owner_vhca_id, br_offloads); ++ if (!port) ++ return NULL; ++ ++ return port->bridge; ++} ++ + static void mlx5_esw_bridge_fdb_entry_refresh(struct mlx5_esw_bridge_fdb_entry *entry) + { + trace_mlx5_esw_bridge_fdb_entry_refresh(entry); +@@ -1388,28 +1401,26 @@ mlx5_esw_bridge_fdb_entry_init(struct net_device *dev, u16 vport_num, u16 esw_ow + int mlx5_esw_bridge_ageing_time_set(u16 vport_num, u16 esw_owner_vhca_id, unsigned long ageing_time, + struct mlx5_esw_bridge_offloads *br_offloads) + { +- struct mlx5_esw_bridge_port *port; ++ struct mlx5_esw_bridge *bridge; + +- port = mlx5_esw_bridge_port_lookup(vport_num, esw_owner_vhca_id, br_offloads); +- if (!port) ++ bridge = mlx5_esw_bridge_from_port_lookup(vport_num, esw_owner_vhca_id, br_offloads); ++ if (!bridge) + return -EINVAL; + +- port->bridge->ageing_time = clock_t_to_jiffies(ageing_time); ++ bridge->ageing_time = clock_t_to_jiffies(ageing_time); + return 0; + } + + int mlx5_esw_bridge_vlan_filtering_set(u16 vport_num, u16 esw_owner_vhca_id, bool enable, + struct mlx5_esw_bridge_offloads *br_offloads) + { +- struct mlx5_esw_bridge_port *port; + struct mlx5_esw_bridge *bridge; + bool filtering; + +- port = mlx5_esw_bridge_port_lookup(vport_num, esw_owner_vhca_id, br_offloads); +- if (!port) ++ bridge = mlx5_esw_bridge_from_port_lookup(vport_num, esw_owner_vhca_id, br_offloads); ++ if (!bridge) + return -EINVAL; + +- bridge = port->bridge; + filtering = bridge->flags & MLX5_ESW_BRIDGE_VLAN_FILTERING_FLAG; + if (filtering == enable) + return 0; +@@ -1426,15 +1437,13 @@ int mlx5_esw_bridge_vlan_filtering_set(u16 vport_num, u16 esw_owner_vhca_id, boo + int mlx5_esw_bridge_vlan_proto_set(u16 vport_num, u16 esw_owner_vhca_id, u16 proto, + struct mlx5_esw_bridge_offloads *br_offloads) + { +- struct mlx5_esw_bridge_port *port; + struct mlx5_esw_bridge *bridge; + +- port = mlx5_esw_bridge_port_lookup(vport_num, esw_owner_vhca_id, +- br_offloads); +- if (!port) ++ bridge = mlx5_esw_bridge_from_port_lookup(vport_num, esw_owner_vhca_id, ++ br_offloads); ++ if (!bridge) + return -EINVAL; + +- bridge = port->bridge; + if (bridge->vlan_proto == proto) + return 0; + if (proto != ETH_P_8021Q && proto != ETH_P_8021AD) { +@@ -1626,14 +1635,12 @@ void mlx5_esw_bridge_fdb_update_used(struct net_device *dev, u16 vport_num, u16 + struct switchdev_notifier_fdb_info *fdb_info) + { + struct mlx5_esw_bridge_fdb_entry *entry; +- struct mlx5_esw_bridge_port *port; + struct mlx5_esw_bridge *bridge; + +- port = mlx5_esw_bridge_port_lookup(vport_num, esw_owner_vhca_id, br_offloads); +- if (!port) ++ bridge = mlx5_esw_bridge_from_port_lookup(vport_num, esw_owner_vhca_id, br_offloads); ++ if (!bridge) + return; + +- bridge = port->bridge; + entry = mlx5_esw_bridge_fdb_lookup(bridge, fdb_info->addr, fdb_info->vid); + if (!entry) { + esw_debug(br_offloads->esw->dev, +@@ -1680,14 +1687,12 @@ void mlx5_esw_bridge_fdb_remove(struct net_device *dev, u16 vport_num, u16 esw_o + { + struct mlx5_eswitch *esw = br_offloads->esw; + struct mlx5_esw_bridge_fdb_entry *entry; +- struct mlx5_esw_bridge_port *port; + struct mlx5_esw_bridge *bridge; + +- port = mlx5_esw_bridge_port_lookup(vport_num, esw_owner_vhca_id, br_offloads); +- if (!port) ++ bridge = mlx5_esw_bridge_from_port_lookup(vport_num, esw_owner_vhca_id, br_offloads); ++ if (!bridge) + return; + +- bridge = port->bridge; + entry = mlx5_esw_bridge_fdb_lookup(bridge, fdb_info->addr, fdb_info->vid); + if (!entry) { + esw_debug(esw->dev, +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0068-net-mlx5-Bridge-snoop-igmp-mld-packets.patch b/SPECS/kernel-hci/0068-net-mlx5-Bridge-snoop-igmp-mld-packets.patch new file mode 100644 index 00000000000..3bc6a980619 --- /dev/null +++ b/SPECS/kernel-hci/0068-net-mlx5-Bridge-snoop-igmp-mld-packets.patch @@ -0,0 +1,535 @@ +From 3232b8e01304561c75019754f253b7a932b4446a Mon Sep 17 00:00:00 2001 +From: Amir Tzin +Date: Mon, 29 May 2023 11:24:21 +0300 +Subject: [PATCH 53/58] net/mlx5: Bridge, snoop igmp/mld packets + +Upstream Status: v6.4-rc1 +Conflicts: + - drivers/net/ethernet/mellanox/mlx5/core/Makefile + Context diff due to missing commit + c1fef618d611 ("net/mlx5: Implement thermal zone") + +commit 18c2916cee12 ("net/mlx5: Bridge, snoop igmp/mld packets") +Author: Vlad Buslov +Date: Tue Feb 21 21:31:48 2023 +0100 + + net/mlx5: Bridge, snoop igmp/mld packets + + Handle SWITCHDEV_ATTR_ID_BRIDGE_MC_DISABLED attribute notification to + dynamically toggle bridge multicast offload. Set new + MLX5_ESW_BRIDGE_MCAST_FLAG bridge flag when multicast offload is enabled. + Put multicast-specific code into new bridge_mcast.c file. + + When initializing bridge multicast pipeline create a static rule for + snooping on IGMP traffic and three rules for snooping on MLD traffic (for + query, report and done message types). Note that matching MLD traffic + requires having flexparser MLX5_FLEX_PROTO_ICMPV6 capability enabled. + + By default Linux bridge is created with multicast enabled which can be + modified by 'mcast_snooping' argument: + + $ ip link set name my_bridge type bridge mcast_snooping 0 + + Signed-off-by: Vlad Buslov + Reviewed-by: Maor Dickman + Reviewed-by: Roi Dayan + Signed-off-by: Saeed Mahameed + +Change-Id: Id6e173baf1d483bac0946dc469002d483a8ccd8b +Signed-off-by: Amir Tzin +--- + .../net/ethernet/mellanox/mlx5/core/Makefile | 2 +- + .../mellanox/mlx5/core/en/rep/bridge.c | 4 + + .../ethernet/mellanox/mlx5/core/esw/bridge.c | 31 ++ + .../ethernet/mellanox/mlx5/core/esw/bridge.h | 9 + + .../mellanox/mlx5/core/esw/bridge_mcast.c | 316 ++++++++++++++++++ + .../mellanox/mlx5/core/esw/bridge_priv.h | 27 +- + 6 files changed, 384 insertions(+), 5 deletions(-) + create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/Makefile b/drivers/net/ethernet/mellanox/mlx5/core/Makefile +index d1e4d6570b2b..cceed0f03819 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/Makefile ++++ b/drivers/net/ethernet/mellanox/mlx5/core/Makefile +@@ -60,7 +60,7 @@ mlx5_core-$(CONFIG_MLX5_ESWITCH) += esw/acl/helper.o \ + esw/acl/egress_lgcy.o esw/acl/egress_ofld.o \ + esw/acl/ingress_lgcy.o esw/acl/ingress_ofld.o + +-mlx5_core-$(CONFIG_MLX5_BRIDGE) += esw/bridge.o en/rep/bridge.o ++mlx5_core-$(CONFIG_MLX5_BRIDGE) += esw/bridge.o esw/bridge_mcast.o en/rep/bridge.o + + mlx5_core-$(CONFIG_MLX5_MPFS) += lib/mpfs.o + mlx5_core-$(CONFIG_VXLAN) += lib/vxlan.o +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c +index b5b33cfacc56..6c56a096cd4b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c +@@ -275,6 +275,10 @@ mlx5_esw_bridge_port_obj_attr_set(struct net_device *dev, + attr->u.vlan_protocol, + br_offloads); + break; ++ case SWITCHDEV_ATTR_ID_BRIDGE_MC_DISABLED: ++ err = mlx5_esw_bridge_mcast_set(vport_num, esw_owner_vhca_id, ++ !attr->u.mc_disabled, br_offloads); ++ break; + default: + err = -EOPNOTSUPP; + } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +index bbbf982bbbc0..35436aa9548d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +@@ -868,6 +868,7 @@ static void mlx5_esw_bridge_put(struct mlx5_esw_bridge_offloads *br_offloads, + return; + + mlx5_esw_bridge_egress_table_cleanup(bridge); ++ mlx5_esw_bridge_mcast_disable(bridge); + list_del(&bridge->list); + rhashtable_destroy(&bridge->fdb_ht); + kvfree(bridge); +@@ -1458,6 +1459,36 @@ int mlx5_esw_bridge_vlan_proto_set(u16 vport_num, u16 esw_owner_vhca_id, u16 pro + return 0; + } + ++int mlx5_esw_bridge_mcast_set(u16 vport_num, u16 esw_owner_vhca_id, bool enable, ++ struct mlx5_esw_bridge_offloads *br_offloads) ++{ ++ struct mlx5_eswitch *esw = br_offloads->esw; ++ struct mlx5_esw_bridge *bridge; ++ int err = 0; ++ bool mcast; ++ ++ if (!(MLX5_CAP_ESW_FLOWTABLE((esw)->dev, fdb_multi_path_any_table) || ++ MLX5_CAP_ESW_FLOWTABLE((esw)->dev, fdb_multi_path_any_table_limit_regc)) || ++ !MLX5_CAP_ESW_FLOWTABLE((esw)->dev, fdb_uplink_hairpin) || ++ !MLX5_CAP_ESW_FLOWTABLE_FDB((esw)->dev, ignore_flow_level)) ++ return -EOPNOTSUPP; ++ ++ bridge = mlx5_esw_bridge_from_port_lookup(vport_num, esw_owner_vhca_id, br_offloads); ++ if (!bridge) ++ return -EINVAL; ++ ++ mcast = bridge->flags & MLX5_ESW_BRIDGE_MCAST_FLAG; ++ if (mcast == enable) ++ return 0; ++ ++ if (enable) ++ err = mlx5_esw_bridge_mcast_enable(bridge); ++ else ++ mlx5_esw_bridge_mcast_disable(bridge); ++ ++ return err; ++} ++ + static int mlx5_esw_bridge_vport_init(u16 vport_num, u16 esw_owner_vhca_id, u16 flags, + struct mlx5_esw_bridge_offloads *br_offloads, + struct mlx5_esw_bridge *bridge) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.h b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.h +index 10851a515bca..b18f137173d9 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.h +@@ -25,12 +25,19 @@ struct mlx5_esw_bridge_offloads { + struct delayed_work update_work; + + struct mlx5_flow_table *ingress_ft; ++ struct mlx5_flow_group *ingress_igmp_fg; ++ struct mlx5_flow_group *ingress_mld_fg; + struct mlx5_flow_group *ingress_vlan_fg; + struct mlx5_flow_group *ingress_vlan_filter_fg; + struct mlx5_flow_group *ingress_qinq_fg; + struct mlx5_flow_group *ingress_qinq_filter_fg; + struct mlx5_flow_group *ingress_mac_fg; + ++ struct mlx5_flow_handle *igmp_handle; ++ struct mlx5_flow_handle *mld_query_handle; ++ struct mlx5_flow_handle *mld_report_handle; ++ struct mlx5_flow_handle *mld_done_handle; ++ + struct mlx5_flow_table *skip_ft; + }; + +@@ -64,6 +71,8 @@ int mlx5_esw_bridge_vlan_filtering_set(u16 vport_num, u16 esw_owner_vhca_id, boo + struct mlx5_esw_bridge_offloads *br_offloads); + int mlx5_esw_bridge_vlan_proto_set(u16 vport_num, u16 esw_owner_vhca_id, u16 proto, + struct mlx5_esw_bridge_offloads *br_offloads); ++int mlx5_esw_bridge_mcast_set(u16 vport_num, u16 esw_owner_vhca_id, bool enable, ++ struct mlx5_esw_bridge_offloads *br_offloads); + int mlx5_esw_bridge_port_vlan_add(u16 vport_num, u16 esw_owner_vhca_id, u16 vid, u16 flags, + struct mlx5_esw_bridge_offloads *br_offloads, + struct netlink_ext_ack *extack); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c +new file mode 100644 +index 000000000000..d5a89a86c9e8 +--- /dev/null ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c +@@ -0,0 +1,316 @@ ++// SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB ++/* Copyright (c) 2022, NVIDIA CORPORATION & AFFILIATES. All rights reserved. */ ++ ++#include "bridge.h" ++#include "eswitch.h" ++#include "bridge_priv.h" ++ ++static struct mlx5_flow_group * ++mlx5_esw_bridge_ingress_igmp_fg_create(struct mlx5_eswitch *esw, ++ struct mlx5_flow_table *ingress_ft) ++{ ++ int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in); ++ struct mlx5_flow_group *fg; ++ u32 *in, *match; ++ ++ in = kvzalloc(inlen, GFP_KERNEL); ++ if (!in) ++ return ERR_PTR(-ENOMEM); ++ ++ MLX5_SET(create_flow_group_in, in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS); ++ match = MLX5_ADDR_OF(create_flow_group_in, in, match_criteria); ++ ++ MLX5_SET_TO_ONES(fte_match_param, match, outer_headers.ip_version); ++ MLX5_SET_TO_ONES(fte_match_param, match, outer_headers.ip_protocol); ++ ++ MLX5_SET(create_flow_group_in, in, start_flow_index, ++ MLX5_ESW_BRIDGE_INGRESS_TABLE_IGMP_GRP_IDX_FROM); ++ MLX5_SET(create_flow_group_in, in, end_flow_index, ++ MLX5_ESW_BRIDGE_INGRESS_TABLE_IGMP_GRP_IDX_TO); ++ ++ fg = mlx5_create_flow_group(ingress_ft, in); ++ kvfree(in); ++ if (IS_ERR(fg)) ++ esw_warn(esw->dev, ++ "Failed to create IGMP flow group for bridge ingress table (err=%pe)\n", ++ fg); ++ ++ return fg; ++} ++ ++static struct mlx5_flow_group * ++mlx5_esw_bridge_ingress_mld_fg_create(struct mlx5_eswitch *esw, ++ struct mlx5_flow_table *ingress_ft) ++{ ++ int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in); ++ struct mlx5_flow_group *fg; ++ u32 *in, *match; ++ ++ if (!(MLX5_CAP_GEN(esw->dev, flex_parser_protocols) & MLX5_FLEX_PROTO_ICMPV6)) { ++ esw_warn(esw->dev, ++ "Can't create MLD flow group due to missing hardware ICMPv6 parsing support\n"); ++ return NULL; ++ } ++ ++ in = kvzalloc(inlen, GFP_KERNEL); ++ if (!in) ++ return ERR_PTR(-ENOMEM); ++ ++ MLX5_SET(create_flow_group_in, in, match_criteria_enable, ++ MLX5_MATCH_OUTER_HEADERS | MLX5_MATCH_MISC_PARAMETERS_3); ++ match = MLX5_ADDR_OF(create_flow_group_in, in, match_criteria); ++ ++ MLX5_SET_TO_ONES(fte_match_param, match, outer_headers.ip_version); ++ MLX5_SET_TO_ONES(fte_match_param, match, misc_parameters_3.icmpv6_type); ++ ++ MLX5_SET(create_flow_group_in, in, start_flow_index, ++ MLX5_ESW_BRIDGE_INGRESS_TABLE_MLD_GRP_IDX_FROM); ++ MLX5_SET(create_flow_group_in, in, end_flow_index, ++ MLX5_ESW_BRIDGE_INGRESS_TABLE_MLD_GRP_IDX_TO); ++ ++ fg = mlx5_create_flow_group(ingress_ft, in); ++ kvfree(in); ++ if (IS_ERR(fg)) ++ esw_warn(esw->dev, ++ "Failed to create MLD flow group for bridge ingress table (err=%pe)\n", ++ fg); ++ ++ return fg; ++} ++ ++static int ++mlx5_esw_bridge_ingress_mcast_fgs_init(struct mlx5_esw_bridge_offloads *br_offloads) ++{ ++ struct mlx5_flow_table *ingress_ft = br_offloads->ingress_ft; ++ struct mlx5_eswitch *esw = br_offloads->esw; ++ struct mlx5_flow_group *igmp_fg, *mld_fg; ++ ++ igmp_fg = mlx5_esw_bridge_ingress_igmp_fg_create(esw, ingress_ft); ++ if (IS_ERR(igmp_fg)) ++ return PTR_ERR(igmp_fg); ++ ++ mld_fg = mlx5_esw_bridge_ingress_mld_fg_create(esw, ingress_ft); ++ if (IS_ERR(mld_fg)) { ++ mlx5_destroy_flow_group(igmp_fg); ++ return PTR_ERR(mld_fg); ++ } ++ ++ br_offloads->ingress_igmp_fg = igmp_fg; ++ br_offloads->ingress_mld_fg = mld_fg; ++ return 0; ++} ++ ++static void ++mlx5_esw_bridge_ingress_mcast_fgs_cleanup(struct mlx5_esw_bridge_offloads *br_offloads) ++{ ++ if (br_offloads->ingress_mld_fg) ++ mlx5_destroy_flow_group(br_offloads->ingress_mld_fg); ++ br_offloads->ingress_mld_fg = NULL; ++ if (br_offloads->ingress_igmp_fg) ++ mlx5_destroy_flow_group(br_offloads->ingress_igmp_fg); ++ br_offloads->ingress_igmp_fg = NULL; ++} ++ ++static struct mlx5_flow_handle * ++mlx5_esw_bridge_ingress_igmp_fh_create(struct mlx5_flow_table *ingress_ft, ++ struct mlx5_flow_table *skip_ft) ++{ ++ struct mlx5_flow_destination dest = { ++ .type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE, ++ .ft = skip_ft, ++ }; ++ struct mlx5_flow_act flow_act = { ++ .action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST, ++ .flags = FLOW_ACT_NO_APPEND, ++ }; ++ struct mlx5_flow_spec *rule_spec; ++ struct mlx5_flow_handle *handle; ++ ++ rule_spec = kvzalloc(sizeof(*rule_spec), GFP_KERNEL); ++ if (!rule_spec) ++ return ERR_PTR(-ENOMEM); ++ ++ rule_spec->match_criteria_enable = MLX5_MATCH_OUTER_HEADERS; ++ ++ MLX5_SET_TO_ONES(fte_match_param, rule_spec->match_criteria, outer_headers.ip_version); ++ MLX5_SET(fte_match_param, rule_spec->match_value, outer_headers.ip_version, 4); ++ MLX5_SET_TO_ONES(fte_match_param, rule_spec->match_criteria, outer_headers.ip_protocol); ++ MLX5_SET(fte_match_param, rule_spec->match_value, outer_headers.ip_protocol, IPPROTO_IGMP); ++ ++ handle = mlx5_add_flow_rules(ingress_ft, rule_spec, &flow_act, &dest, 1); ++ ++ kvfree(rule_spec); ++ return handle; ++} ++ ++static struct mlx5_flow_handle * ++mlx5_esw_bridge_ingress_mld_fh_create(u8 type, struct mlx5_flow_table *ingress_ft, ++ struct mlx5_flow_table *skip_ft) ++{ ++ struct mlx5_flow_destination dest = { ++ .type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE, ++ .ft = skip_ft, ++ }; ++ struct mlx5_flow_act flow_act = { ++ .action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST, ++ .flags = FLOW_ACT_NO_APPEND, ++ }; ++ struct mlx5_flow_spec *rule_spec; ++ struct mlx5_flow_handle *handle; ++ ++ rule_spec = kvzalloc(sizeof(*rule_spec), GFP_KERNEL); ++ if (!rule_spec) ++ return ERR_PTR(-ENOMEM); ++ ++ rule_spec->match_criteria_enable = MLX5_MATCH_OUTER_HEADERS | MLX5_MATCH_MISC_PARAMETERS_3; ++ ++ MLX5_SET_TO_ONES(fte_match_param, rule_spec->match_criteria, outer_headers.ip_version); ++ MLX5_SET(fte_match_param, rule_spec->match_value, outer_headers.ip_version, 6); ++ MLX5_SET_TO_ONES(fte_match_param, rule_spec->match_criteria, misc_parameters_3.icmpv6_type); ++ MLX5_SET(fte_match_param, rule_spec->match_value, misc_parameters_3.icmpv6_type, type); ++ ++ handle = mlx5_add_flow_rules(ingress_ft, rule_spec, &flow_act, &dest, 1); ++ ++ kvfree(rule_spec); ++ return handle; ++} ++ ++static int ++mlx5_esw_bridge_ingress_mcast_fhs_create(struct mlx5_esw_bridge_offloads *br_offloads) ++{ ++ struct mlx5_flow_handle *igmp_handle, *mld_query_handle, *mld_report_handle, ++ *mld_done_handle; ++ struct mlx5_flow_table *ingress_ft = br_offloads->ingress_ft, ++ *skip_ft = br_offloads->skip_ft; ++ int err; ++ ++ igmp_handle = mlx5_esw_bridge_ingress_igmp_fh_create(ingress_ft, skip_ft); ++ if (IS_ERR(igmp_handle)) ++ return PTR_ERR(igmp_handle); ++ ++ if (br_offloads->ingress_mld_fg) { ++ mld_query_handle = mlx5_esw_bridge_ingress_mld_fh_create(ICMPV6_MGM_QUERY, ++ ingress_ft, ++ skip_ft); ++ if (IS_ERR(mld_query_handle)) { ++ err = PTR_ERR(mld_query_handle); ++ goto err_mld_query; ++ } ++ ++ mld_report_handle = mlx5_esw_bridge_ingress_mld_fh_create(ICMPV6_MGM_REPORT, ++ ingress_ft, ++ skip_ft); ++ if (IS_ERR(mld_report_handle)) { ++ err = PTR_ERR(mld_report_handle); ++ goto err_mld_report; ++ } ++ ++ mld_done_handle = mlx5_esw_bridge_ingress_mld_fh_create(ICMPV6_MGM_REDUCTION, ++ ingress_ft, ++ skip_ft); ++ if (IS_ERR(mld_done_handle)) { ++ err = PTR_ERR(mld_done_handle); ++ goto err_mld_done; ++ } ++ } else { ++ mld_query_handle = NULL; ++ mld_report_handle = NULL; ++ mld_done_handle = NULL; ++ } ++ ++ br_offloads->igmp_handle = igmp_handle; ++ br_offloads->mld_query_handle = mld_query_handle; ++ br_offloads->mld_report_handle = mld_report_handle; ++ br_offloads->mld_done_handle = mld_done_handle; ++ ++ return 0; ++ ++err_mld_done: ++ mlx5_del_flow_rules(mld_report_handle); ++err_mld_report: ++ mlx5_del_flow_rules(mld_query_handle); ++err_mld_query: ++ mlx5_del_flow_rules(igmp_handle); ++ return err; ++} ++ ++static void ++mlx5_esw_bridge_ingress_mcast_fhs_cleanup(struct mlx5_esw_bridge_offloads *br_offloads) ++{ ++ if (br_offloads->mld_done_handle) ++ mlx5_del_flow_rules(br_offloads->mld_done_handle); ++ br_offloads->mld_done_handle = NULL; ++ if (br_offloads->mld_report_handle) ++ mlx5_del_flow_rules(br_offloads->mld_report_handle); ++ br_offloads->mld_report_handle = NULL; ++ if (br_offloads->mld_query_handle) ++ mlx5_del_flow_rules(br_offloads->mld_query_handle); ++ br_offloads->mld_query_handle = NULL; ++ if (br_offloads->igmp_handle) ++ mlx5_del_flow_rules(br_offloads->igmp_handle); ++ br_offloads->igmp_handle = NULL; ++} ++ ++static int mlx5_esw_brige_mcast_global_enable(struct mlx5_esw_bridge_offloads *br_offloads) ++{ ++ int err; ++ ++ if (br_offloads->ingress_igmp_fg) ++ return 0; /* already enabled by another bridge */ ++ ++ err = mlx5_esw_bridge_ingress_mcast_fgs_init(br_offloads); ++ if (err) { ++ esw_warn(br_offloads->esw->dev, ++ "Failed to create global multicast flow groups (err=%d)\n", ++ err); ++ return err; ++ } ++ ++ err = mlx5_esw_bridge_ingress_mcast_fhs_create(br_offloads); ++ if (err) { ++ esw_warn(br_offloads->esw->dev, ++ "Failed to create global multicast flows (err=%d)\n", ++ err); ++ goto err_fhs; ++ } ++ ++ return 0; ++ ++err_fhs: ++ mlx5_esw_bridge_ingress_mcast_fgs_cleanup(br_offloads); ++ return err; ++} ++ ++static void mlx5_esw_brige_mcast_global_disable(struct mlx5_esw_bridge_offloads *br_offloads) ++{ ++ struct mlx5_esw_bridge *br; ++ ++ list_for_each_entry(br, &br_offloads->bridges, list) { ++ /* Ingress table is global, so only disable snooping when all ++ * bridges on esw have multicast disabled. ++ */ ++ if (br->flags & MLX5_ESW_BRIDGE_MCAST_FLAG) ++ return; ++ } ++ ++ mlx5_esw_bridge_ingress_mcast_fhs_cleanup(br_offloads); ++ mlx5_esw_bridge_ingress_mcast_fgs_cleanup(br_offloads); ++} ++ ++int mlx5_esw_bridge_mcast_enable(struct mlx5_esw_bridge *bridge) ++{ ++ int err; ++ ++ err = mlx5_esw_brige_mcast_global_enable(bridge->br_offloads); ++ if (err) ++ return err; ++ ++ bridge->flags |= MLX5_ESW_BRIDGE_MCAST_FLAG; ++ return 0; ++} ++ ++void mlx5_esw_bridge_mcast_disable(struct mlx5_esw_bridge *bridge) ++{ ++ bridge->flags &= ~MLX5_ESW_BRIDGE_MCAST_FLAG; ++ mlx5_esw_brige_mcast_global_disable(bridge->br_offloads); ++} +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h +index b99761e73c1b..dbb935db1b3c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h +@@ -12,11 +12,26 @@ + #include + #include "fs_core.h" + ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_IGMP_GRP_SIZE 1 ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_MLD_GRP_SIZE 3 + #define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_SIZE 131072 +-#define MLX5_ESW_BRIDGE_INGRESS_TABLE_UNTAGGED_GRP_SIZE 524288 +-#define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_IDX_FROM 0 +-#define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_IDX_TO \ +- (MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_SIZE - 1) ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_UNTAGGED_GRP_SIZE \ ++ (524288 - MLX5_ESW_BRIDGE_INGRESS_TABLE_IGMP_GRP_SIZE - \ ++ MLX5_ESW_BRIDGE_INGRESS_TABLE_MLD_GRP_SIZE) ++ ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_IGMP_GRP_IDX_FROM 0 ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_IGMP_GRP_IDX_TO \ ++ (MLX5_ESW_BRIDGE_INGRESS_TABLE_IGMP_GRP_SIZE - 1) ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_MLD_GRP_IDX_FROM \ ++ (MLX5_ESW_BRIDGE_INGRESS_TABLE_IGMP_GRP_IDX_TO + 1) ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_MLD_GRP_IDX_TO \ ++ (MLX5_ESW_BRIDGE_INGRESS_TABLE_MLD_GRP_IDX_FROM + \ ++ MLX5_ESW_BRIDGE_INGRESS_TABLE_MLD_GRP_SIZE - 1) ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_IDX_FROM \ ++ (MLX5_ESW_BRIDGE_INGRESS_TABLE_MLD_GRP_IDX_TO + 1) ++#define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_IDX_TO \ ++ (MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_IDX_FROM + \ ++ MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_SIZE - 1) + #define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_FILTER_GRP_IDX_FROM \ + (MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_GRP_IDX_TO + 1) + #define MLX5_ESW_BRIDGE_INGRESS_TABLE_VLAN_FILTER_GRP_IDX_TO \ +@@ -74,6 +89,7 @@ enum { + + enum { + MLX5_ESW_BRIDGE_VLAN_FILTERING_FLAG = BIT(0), ++ MLX5_ESW_BRIDGE_MCAST_FLAG = BIT(1), + }; + + struct mlx5_esw_bridge_fdb_key { +@@ -145,4 +161,7 @@ struct mlx5_esw_bridge { + u16 vlan_proto; + }; + ++int mlx5_esw_bridge_mcast_enable(struct mlx5_esw_bridge *bridge); ++void mlx5_esw_bridge_mcast_disable(struct mlx5_esw_bridge *bridge); ++ + #endif /* _MLX5_ESW_BRIDGE_PRIVATE_ */ +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0069-net-mlx5-Bridge-add-per-port-multicast-replication-t.patch b/SPECS/kernel-hci/0069-net-mlx5-Bridge-add-per-port-multicast-replication-t.patch new file mode 100644 index 00000000000..2e4eb29757d --- /dev/null +++ b/SPECS/kernel-hci/0069-net-mlx5-Bridge-add-per-port-multicast-replication-t.patch @@ -0,0 +1,524 @@ +From 5a2e44cc216c7129206915224cacdbb72fabc771 Mon Sep 17 00:00:00 2001 +From: Amir Tzin +Date: Mon, 29 May 2023 11:24:21 +0300 +Subject: [PATCH 54/58] net/mlx5: Bridge, add per-port multicast replication + tables + +Upstream Status: v6.4-rc1 + +commit 272ecfc92f6f ("net/mlx5: Bridge, add per-port multicast replication tables") +Author: Vlad Buslov +Date: Wed Feb 22 13:10:02 2023 +0100 + + net/mlx5: Bridge, add per-port multicast replication tables + + Multicast replication requires adding one more level of FDB_BR_OFFLOAD + priority flow tables. The new level is used for per-port multicast-specific + tables that have following flow groups structure (flow highest to lowest + priority): + + - Flow group of size one that matches on source port metadata. This will + have a static single rule that prevent packets from being replicated to + their source port. + + - Flow group of size one that matches all packets and forwards them to the + port that owns the table. + + Initialize the table dynamically on all bridge ports when adding a port to + the bridge that has multicast enabled and on all existing bridge ports when + receiving multicast enable notification. + + Signed-off-by: Vlad Buslov + Reviewed-by: Maor Dickman + Reviewed-by: Roi Dayan + Signed-off-by: Saeed Mahameed + +Change-Id: Ia916338c1d5604c03b43ffbe4d178b6f3fe57213 +Signed-off-by: Amir Tzin +--- + .../ethernet/mellanox/mlx5/core/esw/bridge.c | 14 +- + .../mellanox/mlx5/core/esw/bridge_mcast.c | 329 +++++++++++++++++- + .../mellanox/mlx5/core/esw/bridge_priv.h | 28 ++ + .../net/ethernet/mellanox/mlx5/core/fs_core.c | 2 +- + 4 files changed, 370 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +index 35436aa9548d..4bc8c6fc394b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +@@ -61,7 +61,7 @@ mlx5_esw_bridge_pkt_reformat_vlan_pop_create(struct mlx5_eswitch *esw) + return mlx5_packet_reformat_alloc(esw->dev, &reformat_params, MLX5_FLOW_NAMESPACE_FDB); + } + +-static struct mlx5_flow_table * ++struct mlx5_flow_table * + mlx5_esw_bridge_table_create(int max_fte, u32 level, struct mlx5_eswitch *esw) + { + struct mlx5_flow_table_attr ft_attr = {}; +@@ -1506,6 +1506,15 @@ static int mlx5_esw_bridge_vport_init(u16 vport_num, u16 esw_owner_vhca_id, u16 + port->bridge = bridge; + port->flags |= flags; + xa_init(&port->vlans); ++ ++ err = mlx5_esw_bridge_port_mcast_init(port); ++ if (err) { ++ esw_warn(esw->dev, ++ "Failed to initialize port multicast (vport=%u,esw_owner_vhca_id=%u,err=%d)\n", ++ port->vport_num, port->esw_owner_vhca_id, err); ++ goto err_port_mcast; ++ } ++ + err = mlx5_esw_bridge_port_insert(port, br_offloads); + if (err) { + esw_warn(esw->dev, +@@ -1518,6 +1527,8 @@ static int mlx5_esw_bridge_vport_init(u16 vport_num, u16 esw_owner_vhca_id, u16 + return 0; + + err_port_insert: ++ mlx5_esw_bridge_port_mcast_cleanup(port); ++err_port_mcast: + kvfree(port); + return err; + } +@@ -1535,6 +1546,7 @@ static int mlx5_esw_bridge_vport_cleanup(struct mlx5_esw_bridge_offloads *br_off + + trace_mlx5_esw_bridge_vport_cleanup(port); + mlx5_esw_bridge_port_vlans_flush(port, bridge); ++ mlx5_esw_bridge_port_mcast_cleanup(port); + mlx5_esw_bridge_port_erase(port, br_offloads); + kvfree(port); + mlx5_esw_bridge_put(br_offloads, bridge); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c +index d5a89a86c9e8..4f54cb41ed19 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c +@@ -1,10 +1,283 @@ + // SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB + /* Copyright (c) 2022, NVIDIA CORPORATION & AFFILIATES. All rights reserved. */ + ++#include "lib/devcom.h" + #include "bridge.h" + #include "eswitch.h" + #include "bridge_priv.h" + ++static int mlx5_esw_bridge_port_mcast_fts_init(struct mlx5_esw_bridge_port *port, ++ struct mlx5_esw_bridge *bridge) ++{ ++ struct mlx5_eswitch *esw = bridge->br_offloads->esw; ++ struct mlx5_flow_table *mcast_ft; ++ ++ mcast_ft = mlx5_esw_bridge_table_create(MLX5_ESW_BRIDGE_MCAST_TABLE_SIZE, ++ MLX5_ESW_BRIDGE_LEVEL_MCAST_TABLE, ++ esw); ++ if (IS_ERR(mcast_ft)) ++ return PTR_ERR(mcast_ft); ++ ++ port->mcast.ft = mcast_ft; ++ return 0; ++} ++ ++static void mlx5_esw_bridge_port_mcast_fts_cleanup(struct mlx5_esw_bridge_port *port) ++{ ++ if (port->mcast.ft) ++ mlx5_destroy_flow_table(port->mcast.ft); ++ port->mcast.ft = NULL; ++} ++ ++static struct mlx5_flow_group * ++mlx5_esw_bridge_mcast_filter_fg_create(struct mlx5_eswitch *esw, ++ struct mlx5_flow_table *mcast_ft) ++{ ++ int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in); ++ struct mlx5_flow_group *fg; ++ u32 *in, *match; ++ ++ in = kvzalloc(inlen, GFP_KERNEL); ++ if (!in) ++ return ERR_PTR(-ENOMEM); ++ ++ MLX5_SET(create_flow_group_in, in, match_criteria_enable, MLX5_MATCH_MISC_PARAMETERS_2); ++ match = MLX5_ADDR_OF(create_flow_group_in, in, match_criteria); ++ ++ MLX5_SET(fte_match_param, match, misc_parameters_2.metadata_reg_c_0, ++ mlx5_eswitch_get_vport_metadata_mask()); ++ ++ MLX5_SET(create_flow_group_in, in, start_flow_index, ++ MLX5_ESW_BRIDGE_MCAST_TABLE_FILTER_GRP_IDX_FROM); ++ MLX5_SET(create_flow_group_in, in, end_flow_index, ++ MLX5_ESW_BRIDGE_MCAST_TABLE_FILTER_GRP_IDX_TO); ++ ++ fg = mlx5_create_flow_group(mcast_ft, in); ++ kvfree(in); ++ if (IS_ERR(fg)) ++ esw_warn(esw->dev, ++ "Failed to create filter flow group for bridge mcast table (err=%pe)\n", ++ fg); ++ ++ return fg; ++} ++ ++static struct mlx5_flow_group * ++mlx5_esw_bridge_mcast_fwd_fg_create(struct mlx5_eswitch *esw, ++ struct mlx5_flow_table *mcast_ft) ++{ ++ int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in); ++ struct mlx5_flow_group *fg; ++ u32 *in; ++ ++ in = kvzalloc(inlen, GFP_KERNEL); ++ if (!in) ++ return ERR_PTR(-ENOMEM); ++ ++ MLX5_SET(create_flow_group_in, in, start_flow_index, ++ MLX5_ESW_BRIDGE_MCAST_TABLE_FWD_GRP_IDX_FROM); ++ MLX5_SET(create_flow_group_in, in, end_flow_index, ++ MLX5_ESW_BRIDGE_MCAST_TABLE_FWD_GRP_IDX_TO); ++ ++ fg = mlx5_create_flow_group(mcast_ft, in); ++ kvfree(in); ++ if (IS_ERR(fg)) ++ esw_warn(esw->dev, ++ "Failed to create forward flow group for bridge mcast table (err=%pe)\n", ++ fg); ++ ++ return fg; ++} ++ ++static int mlx5_esw_bridge_port_mcast_fgs_init(struct mlx5_esw_bridge_port *port) ++{ ++ struct mlx5_eswitch *esw = port->bridge->br_offloads->esw; ++ struct mlx5_flow_table *mcast_ft = port->mcast.ft; ++ struct mlx5_flow_group *fwd_fg, *filter_fg; ++ int err; ++ ++ filter_fg = mlx5_esw_bridge_mcast_filter_fg_create(esw, mcast_ft); ++ if (IS_ERR(filter_fg)) ++ return PTR_ERR(filter_fg); ++ ++ fwd_fg = mlx5_esw_bridge_mcast_fwd_fg_create(esw, mcast_ft); ++ if (IS_ERR(fwd_fg)) { ++ err = PTR_ERR(fwd_fg); ++ goto err_fwd_fg; ++ } ++ ++ port->mcast.filter_fg = filter_fg; ++ port->mcast.fwd_fg = fwd_fg; ++ ++ return 0; ++ ++err_fwd_fg: ++ mlx5_destroy_flow_group(filter_fg); ++ return err; ++} ++ ++static void mlx5_esw_bridge_port_mcast_fgs_cleanup(struct mlx5_esw_bridge_port *port) ++{ ++ if (port->mcast.fwd_fg) ++ mlx5_destroy_flow_group(port->mcast.fwd_fg); ++ port->mcast.fwd_fg = NULL; ++ if (port->mcast.filter_fg) ++ mlx5_destroy_flow_group(port->mcast.filter_fg); ++ port->mcast.filter_fg = NULL; ++} ++ ++static struct mlx5_flow_handle * ++mlx5_esw_bridge_mcast_flow_with_esw_create(struct mlx5_esw_bridge_port *port, ++ struct mlx5_eswitch *esw) ++{ ++ struct mlx5_flow_act flow_act = { ++ .action = MLX5_FLOW_CONTEXT_ACTION_DROP, ++ .flags = FLOW_ACT_NO_APPEND, ++ }; ++ struct mlx5_flow_spec *rule_spec; ++ struct mlx5_flow_handle *handle; ++ ++ rule_spec = kvzalloc(sizeof(*rule_spec), GFP_KERNEL); ++ if (!rule_spec) ++ return ERR_PTR(-ENOMEM); ++ ++ rule_spec->match_criteria_enable = MLX5_MATCH_MISC_PARAMETERS_2; ++ ++ MLX5_SET(fte_match_param, rule_spec->match_criteria, ++ misc_parameters_2.metadata_reg_c_0, mlx5_eswitch_get_vport_metadata_mask()); ++ MLX5_SET(fte_match_param, rule_spec->match_value, misc_parameters_2.metadata_reg_c_0, ++ mlx5_eswitch_get_vport_metadata_for_match(esw, port->vport_num)); ++ ++ handle = mlx5_add_flow_rules(port->mcast.ft, rule_spec, &flow_act, NULL, 0); ++ ++ kvfree(rule_spec); ++ return handle; ++} ++ ++static struct mlx5_flow_handle * ++mlx5_esw_bridge_mcast_filter_flow_create(struct mlx5_esw_bridge_port *port) ++{ ++ return mlx5_esw_bridge_mcast_flow_with_esw_create(port, port->bridge->br_offloads->esw); ++} ++ ++static struct mlx5_flow_handle * ++mlx5_esw_bridge_mcast_filter_flow_peer_create(struct mlx5_esw_bridge_port *port) ++{ ++ struct mlx5_devcom *devcom = port->bridge->br_offloads->esw->dev->priv.devcom; ++ static struct mlx5_flow_handle *handle; ++ struct mlx5_eswitch *peer_esw; ++ ++ peer_esw = mlx5_devcom_get_peer_data(devcom, MLX5_DEVCOM_ESW_OFFLOADS); ++ if (!peer_esw) ++ return ERR_PTR(-ENODEV); ++ ++ handle = mlx5_esw_bridge_mcast_flow_with_esw_create(port, peer_esw); ++ ++ mlx5_devcom_release_peer_data(devcom, MLX5_DEVCOM_ESW_OFFLOADS); ++ return handle; ++} ++ ++static struct mlx5_flow_handle * ++mlx5_esw_bridge_mcast_fwd_flow_create(struct mlx5_esw_bridge_port *port) ++{ ++ struct mlx5_flow_act flow_act = { ++ .action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST, ++ .flags = FLOW_ACT_NO_APPEND, ++ }; ++ struct mlx5_flow_destination dest = { ++ .type = MLX5_FLOW_DESTINATION_TYPE_VPORT, ++ .vport.num = port->vport_num, ++ }; ++ struct mlx5_esw_bridge *bridge = port->bridge; ++ struct mlx5_flow_spec *rule_spec; ++ struct mlx5_flow_handle *handle; ++ ++ rule_spec = kvzalloc(sizeof(*rule_spec), GFP_KERNEL); ++ if (!rule_spec) ++ return ERR_PTR(-ENOMEM); ++ ++ if (MLX5_CAP_ESW_FLOWTABLE(bridge->br_offloads->esw->dev, flow_source) && ++ port->vport_num == MLX5_VPORT_UPLINK) ++ rule_spec->flow_context.flow_source = ++ MLX5_FLOW_CONTEXT_FLOW_SOURCE_LOCAL_VPORT; ++ ++ if (MLX5_CAP_ESW(bridge->br_offloads->esw->dev, merged_eswitch)) { ++ dest.vport.flags = MLX5_FLOW_DEST_VPORT_VHCA_ID; ++ dest.vport.vhca_id = port->esw_owner_vhca_id; ++ } ++ handle = mlx5_add_flow_rules(port->mcast.ft, rule_spec, &flow_act, &dest, 1); ++ ++ kvfree(rule_spec); ++ return handle; ++} ++ ++static int mlx5_esw_bridge_port_mcast_fhs_init(struct mlx5_esw_bridge_port *port) ++{ ++ struct mlx5_flow_handle *filter_handle, *fwd_handle; ++ ++ filter_handle = (port->flags & MLX5_ESW_BRIDGE_PORT_FLAG_PEER) ? ++ mlx5_esw_bridge_mcast_filter_flow_peer_create(port) : ++ mlx5_esw_bridge_mcast_filter_flow_create(port); ++ if (IS_ERR(filter_handle)) ++ return PTR_ERR(filter_handle); ++ ++ fwd_handle = mlx5_esw_bridge_mcast_fwd_flow_create(port); ++ if (IS_ERR(fwd_handle)) { ++ mlx5_del_flow_rules(filter_handle); ++ return PTR_ERR(fwd_handle); ++ } ++ ++ port->mcast.filter_handle = filter_handle; ++ port->mcast.fwd_handle = fwd_handle; ++ ++ return 0; ++} ++ ++static void mlx5_esw_bridge_port_mcast_fhs_cleanup(struct mlx5_esw_bridge_port *port) ++{ ++ if (port->mcast.fwd_handle) ++ mlx5_del_flow_rules(port->mcast.fwd_handle); ++ port->mcast.fwd_handle = NULL; ++ if (port->mcast.filter_handle) ++ mlx5_del_flow_rules(port->mcast.filter_handle); ++ port->mcast.filter_handle = NULL; ++} ++ ++int mlx5_esw_bridge_port_mcast_init(struct mlx5_esw_bridge_port *port) ++{ ++ struct mlx5_esw_bridge *bridge = port->bridge; ++ int err; ++ ++ if (!(bridge->flags & MLX5_ESW_BRIDGE_MCAST_FLAG)) ++ return 0; ++ ++ err = mlx5_esw_bridge_port_mcast_fts_init(port, bridge); ++ if (err) ++ return err; ++ ++ err = mlx5_esw_bridge_port_mcast_fgs_init(port); ++ if (err) ++ goto err_fgs; ++ ++ err = mlx5_esw_bridge_port_mcast_fhs_init(port); ++ if (err) ++ goto err_fhs; ++ return err; ++ ++err_fhs: ++ mlx5_esw_bridge_port_mcast_fgs_cleanup(port); ++err_fgs: ++ mlx5_esw_bridge_port_mcast_fts_cleanup(port); ++ return err; ++} ++ ++void mlx5_esw_bridge_port_mcast_cleanup(struct mlx5_esw_bridge_port *port) ++{ ++ mlx5_esw_bridge_port_mcast_fhs_cleanup(port); ++ mlx5_esw_bridge_port_mcast_fgs_cleanup(port); ++ mlx5_esw_bridge_port_mcast_fts_cleanup(port); ++} ++ + static struct mlx5_flow_group * + mlx5_esw_bridge_ingress_igmp_fg_create(struct mlx5_eswitch *esw, + struct mlx5_flow_table *ingress_ft) +@@ -251,6 +524,51 @@ mlx5_esw_bridge_ingress_mcast_fhs_cleanup(struct mlx5_esw_bridge_offloads *br_of + br_offloads->igmp_handle = NULL; + } + ++static int mlx5_esw_brige_mcast_init(struct mlx5_esw_bridge *bridge) ++{ ++ struct mlx5_esw_bridge_offloads *br_offloads = bridge->br_offloads; ++ struct mlx5_esw_bridge_port *port, *failed; ++ unsigned long i; ++ int err; ++ ++ xa_for_each(&br_offloads->ports, i, port) { ++ if (port->bridge != bridge) ++ continue; ++ ++ err = mlx5_esw_bridge_port_mcast_init(port); ++ if (err) { ++ failed = port; ++ goto err_port; ++ } ++ } ++ return 0; ++ ++err_port: ++ xa_for_each(&br_offloads->ports, i, port) { ++ if (port == failed) ++ break; ++ if (port->bridge != bridge) ++ continue; ++ ++ mlx5_esw_bridge_port_mcast_cleanup(port); ++ } ++ return err; ++} ++ ++static void mlx5_esw_brige_mcast_cleanup(struct mlx5_esw_bridge *bridge) ++{ ++ struct mlx5_esw_bridge_offloads *br_offloads = bridge->br_offloads; ++ struct mlx5_esw_bridge_port *port; ++ unsigned long i; ++ ++ xa_for_each(&br_offloads->ports, i, port) { ++ if (port->bridge != bridge) ++ continue; ++ ++ mlx5_esw_bridge_port_mcast_cleanup(port); ++ } ++} ++ + static int mlx5_esw_brige_mcast_global_enable(struct mlx5_esw_bridge_offloads *br_offloads) + { + int err; +@@ -306,11 +624,20 @@ int mlx5_esw_bridge_mcast_enable(struct mlx5_esw_bridge *bridge) + return err; + + bridge->flags |= MLX5_ESW_BRIDGE_MCAST_FLAG; +- return 0; ++ ++ err = mlx5_esw_brige_mcast_init(bridge); ++ if (err) { ++ esw_warn(bridge->br_offloads->esw->dev, "Failed to enable multicast (err=%d)\n", ++ err); ++ bridge->flags &= ~MLX5_ESW_BRIDGE_MCAST_FLAG; ++ mlx5_esw_brige_mcast_global_disable(bridge->br_offloads); ++ } ++ return err; + } + + void mlx5_esw_bridge_mcast_disable(struct mlx5_esw_bridge *bridge) + { ++ mlx5_esw_brige_mcast_cleanup(bridge); + bridge->flags &= ~MLX5_ESW_BRIDGE_MCAST_FLAG; + mlx5_esw_brige_mcast_global_disable(bridge->br_offloads); + } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h +index dbb935db1b3c..7fdd719f363c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h +@@ -81,9 +81,23 @@ static_assert(MLX5_ESW_BRIDGE_EGRESS_TABLE_SIZE == 524288); + + #define MLX5_ESW_BRIDGE_SKIP_TABLE_SIZE 0 + ++#define MLX5_ESW_BRIDGE_MCAST_TABLE_FILTER_GRP_SIZE 1 ++#define MLX5_ESW_BRIDGE_MCAST_TABLE_FWD_GRP_SIZE 1 ++#define MLX5_ESW_BRIDGE_MCAST_TABLE_FILTER_GRP_IDX_FROM 0 ++#define MLX5_ESW_BRIDGE_MCAST_TABLE_FILTER_GRP_IDX_TO \ ++ (MLX5_ESW_BRIDGE_MCAST_TABLE_FILTER_GRP_SIZE - 1) ++#define MLX5_ESW_BRIDGE_MCAST_TABLE_FWD_GRP_IDX_FROM \ ++ (MLX5_ESW_BRIDGE_MCAST_TABLE_FILTER_GRP_IDX_TO + 1) ++#define MLX5_ESW_BRIDGE_MCAST_TABLE_FWD_GRP_IDX_TO \ ++ (MLX5_ESW_BRIDGE_MCAST_TABLE_FWD_GRP_IDX_FROM + \ ++ MLX5_ESW_BRIDGE_MCAST_TABLE_FWD_GRP_SIZE - 1) ++ ++#define MLX5_ESW_BRIDGE_MCAST_TABLE_SIZE \ ++ (MLX5_ESW_BRIDGE_MCAST_TABLE_FWD_GRP_IDX_TO + 1) + enum { + MLX5_ESW_BRIDGE_LEVEL_INGRESS_TABLE, + MLX5_ESW_BRIDGE_LEVEL_EGRESS_TABLE, ++ MLX5_ESW_BRIDGE_LEVEL_MCAST_TABLE, + MLX5_ESW_BRIDGE_LEVEL_SKIP_TABLE, + }; + +@@ -138,6 +152,14 @@ struct mlx5_esw_bridge_port { + u16 flags; + struct mlx5_esw_bridge *bridge; + struct xarray vlans; ++ struct { ++ struct mlx5_flow_table *ft; ++ struct mlx5_flow_group *filter_fg; ++ struct mlx5_flow_group *fwd_fg; ++ ++ struct mlx5_flow_handle *filter_handle; ++ struct mlx5_flow_handle *fwd_handle; ++ } mcast; + }; + + struct mlx5_esw_bridge { +@@ -161,6 +183,12 @@ struct mlx5_esw_bridge { + u16 vlan_proto; + }; + ++struct mlx5_flow_table *mlx5_esw_bridge_table_create(int max_fte, u32 level, ++ struct mlx5_eswitch *esw); ++ ++int mlx5_esw_bridge_port_mcast_init(struct mlx5_esw_bridge_port *port); ++void mlx5_esw_bridge_port_mcast_cleanup(struct mlx5_esw_bridge_port *port); ++ + int mlx5_esw_bridge_mcast_enable(struct mlx5_esw_bridge *bridge); + void mlx5_esw_bridge_mcast_disable(struct mlx5_esw_bridge *bridge); + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index f7ac426fbf9f..5aabeb651ab5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -2841,7 +2841,7 @@ static int init_fdb_root_ns(struct mlx5_flow_steering *steering) + goto out_err; + } + +- maj_prio = fs_create_prio(&steering->fdb_root_ns->ns, FDB_BR_OFFLOAD, 3); ++ maj_prio = fs_create_prio(&steering->fdb_root_ns->ns, FDB_BR_OFFLOAD, 4); + if (IS_ERR(maj_prio)) { + err = PTR_ERR(maj_prio); + goto out_err; +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0070-net-mlx5-Bridge-support-multicast-VLAN-pop.patch b/SPECS/kernel-hci/0070-net-mlx5-Bridge-support-multicast-VLAN-pop.patch new file mode 100644 index 00000000000..359904003f4 --- /dev/null +++ b/SPECS/kernel-hci/0070-net-mlx5-Bridge-support-multicast-VLAN-pop.patch @@ -0,0 +1,449 @@ +From faec88115c63d0dcb53324cccc7850cb89bad042 Mon Sep 17 00:00:00 2001 +From: Amir Tzin +Date: Mon, 29 May 2023 11:24:22 +0300 +Subject: [PATCH 55/58] net/mlx5: Bridge, support multicast VLAN pop + +Upstream Status: v6.4-rc1 + +commit b5e80625d168 ("net/mlx5: Bridge, support multicast VLAN pop") +Author: Vlad Buslov +Date: Wed Feb 22 13:13:32 2023 +0100 + + net/mlx5: Bridge, support multicast VLAN pop + + When VLAN with 'untagged' flag is created on port also provision the + per-port multicast table rule to pop the VLAN during packet replication. + This functionality must be in per-port table because some subset of ports + that are member of multicast group can require just a match on VLAN (trunk + mode) while other subset can be configured to remove the VLAN tag from + packets received on the ports (access mode). + + Signed-off-by: Vlad Buslov + Reviewed-by: Maor Dickman + Reviewed-by: Roi Dayan + Signed-off-by: Saeed Mahameed + +Change-Id: Ib2531872f5be8ab6db3df16eba2c50f6b5a4f24b +Signed-off-by: Amir Tzin +--- + .../ethernet/mellanox/mlx5/core/esw/bridge.c | 33 ++- + .../mellanox/mlx5/core/esw/bridge_mcast.c | 190 +++++++++++++++++- + .../mellanox/mlx5/core/esw/bridge_priv.h | 22 +- + 3 files changed, 236 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +index 4bc8c6fc394b..52c976135397 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +@@ -1095,8 +1095,21 @@ mlx5_esw_bridge_vlan_push_mark_cleanup(struct mlx5_esw_bridge_vlan *vlan, struct + } + + static int +-mlx5_esw_bridge_vlan_push_pop_create(u16 vlan_proto, u16 flags, struct mlx5_esw_bridge_vlan *vlan, +- struct mlx5_eswitch *esw) ++mlx5_esw_bridge_vlan_push_pop_fhs_create(u16 vlan_proto, struct mlx5_esw_bridge_port *port, ++ struct mlx5_esw_bridge_vlan *vlan) ++{ ++ return mlx5_esw_bridge_vlan_mcast_init(vlan_proto, port, vlan); ++} ++ ++static void ++mlx5_esw_bridge_vlan_push_pop_fhs_cleanup(struct mlx5_esw_bridge_vlan *vlan) ++{ ++ mlx5_esw_bridge_vlan_mcast_cleanup(vlan); ++} ++ ++static int ++mlx5_esw_bridge_vlan_push_pop_create(u16 vlan_proto, u16 flags, struct mlx5_esw_bridge_port *port, ++ struct mlx5_esw_bridge_vlan *vlan, struct mlx5_eswitch *esw) + { + int err; + +@@ -1114,10 +1127,16 @@ mlx5_esw_bridge_vlan_push_pop_create(u16 vlan_proto, u16 flags, struct mlx5_esw_ + err = mlx5_esw_bridge_vlan_pop_create(vlan, esw); + if (err) + goto err_vlan_pop; ++ ++ err = mlx5_esw_bridge_vlan_push_pop_fhs_create(vlan_proto, port, vlan); ++ if (err) ++ goto err_vlan_pop_fhs; + } + + return 0; + ++err_vlan_pop_fhs: ++ mlx5_esw_bridge_vlan_pop_cleanup(vlan, esw); + err_vlan_pop: + if (vlan->pkt_mod_hdr_push_mark) + mlx5_esw_bridge_vlan_push_mark_cleanup(vlan, esw); +@@ -1142,7 +1161,7 @@ mlx5_esw_bridge_vlan_create(u16 vlan_proto, u16 vid, u16 flags, struct mlx5_esw_ + vlan->flags = flags; + INIT_LIST_HEAD(&vlan->fdb_list); + +- err = mlx5_esw_bridge_vlan_push_pop_create(vlan_proto, flags, vlan, esw); ++ err = mlx5_esw_bridge_vlan_push_pop_create(vlan_proto, flags, port, vlan, esw); + if (err) + goto err_vlan_push_pop; + +@@ -1154,6 +1173,8 @@ mlx5_esw_bridge_vlan_create(u16 vlan_proto, u16 vid, u16 flags, struct mlx5_esw_ + return vlan; + + err_xa_insert: ++ if (vlan->mcast_handle) ++ mlx5_esw_bridge_vlan_push_pop_fhs_cleanup(vlan); + if (vlan->pkt_reformat_pop) + mlx5_esw_bridge_vlan_pop_cleanup(vlan, esw); + if (vlan->pkt_mod_hdr_push_mark) +@@ -1180,6 +1201,8 @@ static void mlx5_esw_bridge_vlan_flush(struct mlx5_esw_bridge_vlan *vlan, + list_for_each_entry_safe(entry, tmp, &vlan->fdb_list, vlan_list) + mlx5_esw_bridge_fdb_entry_notify_and_cleanup(entry, bridge); + ++ if (vlan->mcast_handle) ++ mlx5_esw_bridge_vlan_push_pop_fhs_cleanup(vlan); + if (vlan->pkt_reformat_pop) + mlx5_esw_bridge_vlan_pop_cleanup(vlan, esw); + if (vlan->pkt_mod_hdr_push_mark) +@@ -1218,8 +1241,8 @@ static int mlx5_esw_bridge_port_vlans_recreate(struct mlx5_esw_bridge_port *port + + xa_for_each(&port->vlans, i, vlan) { + mlx5_esw_bridge_vlan_flush(vlan, bridge); +- err = mlx5_esw_bridge_vlan_push_pop_create(bridge->vlan_proto, vlan->flags, vlan, +- br_offloads->esw); ++ err = mlx5_esw_bridge_vlan_push_pop_create(bridge->vlan_proto, vlan->flags, port, ++ vlan, br_offloads->esw); + if (err) { + esw_warn(br_offloads->esw->dev, + "Failed to create VLAN=%u(proto=%x) push/pop actions (vport=%u,err=%d)\n", +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c +index 4f54cb41ed19..99e2f9fc11a2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c +@@ -62,6 +62,60 @@ mlx5_esw_bridge_mcast_filter_fg_create(struct mlx5_eswitch *esw, + return fg; + } + ++static struct mlx5_flow_group * ++mlx5_esw_bridge_mcast_vlan_proto_fg_create(unsigned int from, unsigned int to, u16 vlan_proto, ++ struct mlx5_eswitch *esw, ++ struct mlx5_flow_table *mcast_ft) ++{ ++ int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in); ++ struct mlx5_flow_group *fg; ++ u32 *in, *match; ++ ++ in = kvzalloc(inlen, GFP_KERNEL); ++ if (!in) ++ return ERR_PTR(-ENOMEM); ++ ++ MLX5_SET(create_flow_group_in, in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS); ++ match = MLX5_ADDR_OF(create_flow_group_in, in, match_criteria); ++ ++ if (vlan_proto == ETH_P_8021Q) ++ MLX5_SET_TO_ONES(fte_match_param, match, outer_headers.cvlan_tag); ++ else if (vlan_proto == ETH_P_8021AD) ++ MLX5_SET_TO_ONES(fte_match_param, match, outer_headers.svlan_tag); ++ MLX5_SET_TO_ONES(fte_match_param, match, outer_headers.first_vid); ++ ++ MLX5_SET(create_flow_group_in, in, start_flow_index, from); ++ MLX5_SET(create_flow_group_in, in, end_flow_index, to); ++ ++ fg = mlx5_create_flow_group(mcast_ft, in); ++ kvfree(in); ++ if (IS_ERR(fg)) ++ esw_warn(esw->dev, ++ "Failed to create VLAN(proto=%x) flow group for bridge mcast table (err=%pe)\n", ++ vlan_proto, fg); ++ ++ return fg; ++} ++ ++static struct mlx5_flow_group * ++mlx5_esw_bridge_mcast_vlan_fg_create(struct mlx5_eswitch *esw, struct mlx5_flow_table *mcast_ft) ++{ ++ unsigned int from = MLX5_ESW_BRIDGE_MCAST_TABLE_VLAN_GRP_IDX_FROM; ++ unsigned int to = MLX5_ESW_BRIDGE_MCAST_TABLE_VLAN_GRP_IDX_TO; ++ ++ return mlx5_esw_bridge_mcast_vlan_proto_fg_create(from, to, ETH_P_8021Q, esw, mcast_ft); ++} ++ ++static struct mlx5_flow_group * ++mlx5_esw_bridge_mcast_qinq_fg_create(struct mlx5_eswitch *esw, ++ struct mlx5_flow_table *mcast_ft) ++{ ++ unsigned int from = MLX5_ESW_BRIDGE_MCAST_TABLE_QINQ_GRP_IDX_FROM; ++ unsigned int to = MLX5_ESW_BRIDGE_MCAST_TABLE_QINQ_GRP_IDX_TO; ++ ++ return mlx5_esw_bridge_mcast_vlan_proto_fg_create(from, to, ETH_P_8021AD, esw, mcast_ft); ++} ++ + static struct mlx5_flow_group * + mlx5_esw_bridge_mcast_fwd_fg_create(struct mlx5_eswitch *esw, + struct mlx5_flow_table *mcast_ft) +@@ -91,15 +145,27 @@ mlx5_esw_bridge_mcast_fwd_fg_create(struct mlx5_eswitch *esw, + + static int mlx5_esw_bridge_port_mcast_fgs_init(struct mlx5_esw_bridge_port *port) + { ++ struct mlx5_flow_group *fwd_fg, *qinq_fg, *vlan_fg, *filter_fg; + struct mlx5_eswitch *esw = port->bridge->br_offloads->esw; + struct mlx5_flow_table *mcast_ft = port->mcast.ft; +- struct mlx5_flow_group *fwd_fg, *filter_fg; + int err; + + filter_fg = mlx5_esw_bridge_mcast_filter_fg_create(esw, mcast_ft); + if (IS_ERR(filter_fg)) + return PTR_ERR(filter_fg); + ++ vlan_fg = mlx5_esw_bridge_mcast_vlan_fg_create(esw, mcast_ft); ++ if (IS_ERR(vlan_fg)) { ++ err = PTR_ERR(vlan_fg); ++ goto err_vlan_fg; ++ } ++ ++ qinq_fg = mlx5_esw_bridge_mcast_qinq_fg_create(esw, mcast_ft); ++ if (IS_ERR(qinq_fg)) { ++ err = PTR_ERR(qinq_fg); ++ goto err_qinq_fg; ++ } ++ + fwd_fg = mlx5_esw_bridge_mcast_fwd_fg_create(esw, mcast_ft); + if (IS_ERR(fwd_fg)) { + err = PTR_ERR(fwd_fg); +@@ -107,11 +173,17 @@ static int mlx5_esw_bridge_port_mcast_fgs_init(struct mlx5_esw_bridge_port *port + } + + port->mcast.filter_fg = filter_fg; ++ port->mcast.vlan_fg = vlan_fg; ++ port->mcast.qinq_fg = qinq_fg; + port->mcast.fwd_fg = fwd_fg; + + return 0; + + err_fwd_fg: ++ mlx5_destroy_flow_group(qinq_fg); ++err_qinq_fg: ++ mlx5_destroy_flow_group(vlan_fg); ++err_vlan_fg: + mlx5_destroy_flow_group(filter_fg); + return err; + } +@@ -121,6 +193,12 @@ static void mlx5_esw_bridge_port_mcast_fgs_cleanup(struct mlx5_esw_bridge_port * + if (port->mcast.fwd_fg) + mlx5_destroy_flow_group(port->mcast.fwd_fg); + port->mcast.fwd_fg = NULL; ++ if (port->mcast.qinq_fg) ++ mlx5_destroy_flow_group(port->mcast.qinq_fg); ++ port->mcast.qinq_fg = NULL; ++ if (port->mcast.vlan_fg) ++ mlx5_destroy_flow_group(port->mcast.vlan_fg); ++ port->mcast.vlan_fg = NULL; + if (port->mcast.filter_fg) + mlx5_destroy_flow_group(port->mcast.filter_fg); + port->mcast.filter_fg = NULL; +@@ -177,6 +255,82 @@ mlx5_esw_bridge_mcast_filter_flow_peer_create(struct mlx5_esw_bridge_port *port) + return handle; + } + ++static struct mlx5_flow_handle * ++mlx5_esw_bridge_mcast_vlan_flow_create(u16 vlan_proto, struct mlx5_esw_bridge_port *port, ++ struct mlx5_esw_bridge_vlan *vlan) ++{ ++ struct mlx5_flow_act flow_act = { ++ .action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST, ++ .flags = FLOW_ACT_NO_APPEND, ++ }; ++ struct mlx5_flow_destination dest = { ++ .type = MLX5_FLOW_DESTINATION_TYPE_VPORT, ++ .vport.num = port->vport_num, ++ }; ++ struct mlx5_esw_bridge *bridge = port->bridge; ++ struct mlx5_flow_spec *rule_spec; ++ struct mlx5_flow_handle *handle; ++ ++ rule_spec = kvzalloc(sizeof(*rule_spec), GFP_KERNEL); ++ if (!rule_spec) ++ return ERR_PTR(-ENOMEM); ++ ++ if (MLX5_CAP_ESW_FLOWTABLE(bridge->br_offloads->esw->dev, flow_source) && ++ port->vport_num == MLX5_VPORT_UPLINK) ++ rule_spec->flow_context.flow_source = ++ MLX5_FLOW_CONTEXT_FLOW_SOURCE_LOCAL_VPORT; ++ rule_spec->match_criteria_enable = MLX5_MATCH_OUTER_HEADERS; ++ ++ flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT; ++ flow_act.pkt_reformat = vlan->pkt_reformat_pop; ++ ++ if (vlan_proto == ETH_P_8021Q) { ++ MLX5_SET_TO_ONES(fte_match_param, rule_spec->match_criteria, ++ outer_headers.cvlan_tag); ++ MLX5_SET_TO_ONES(fte_match_param, rule_spec->match_value, ++ outer_headers.cvlan_tag); ++ } else if (vlan_proto == ETH_P_8021AD) { ++ MLX5_SET_TO_ONES(fte_match_param, rule_spec->match_criteria, ++ outer_headers.svlan_tag); ++ MLX5_SET_TO_ONES(fte_match_param, rule_spec->match_value, ++ outer_headers.svlan_tag); ++ } ++ MLX5_SET_TO_ONES(fte_match_param, rule_spec->match_criteria, outer_headers.first_vid); ++ MLX5_SET(fte_match_param, rule_spec->match_value, outer_headers.first_vid, vlan->vid); ++ ++ if (MLX5_CAP_ESW(bridge->br_offloads->esw->dev, merged_eswitch)) { ++ dest.vport.flags = MLX5_FLOW_DEST_VPORT_VHCA_ID; ++ dest.vport.vhca_id = port->esw_owner_vhca_id; ++ } ++ handle = mlx5_add_flow_rules(port->mcast.ft, rule_spec, &flow_act, &dest, 1); ++ ++ kvfree(rule_spec); ++ return handle; ++} ++ ++int mlx5_esw_bridge_vlan_mcast_init(u16 vlan_proto, struct mlx5_esw_bridge_port *port, ++ struct mlx5_esw_bridge_vlan *vlan) ++{ ++ struct mlx5_flow_handle *handle; ++ ++ if (!(port->bridge->flags & MLX5_ESW_BRIDGE_MCAST_FLAG)) ++ return 0; ++ ++ handle = mlx5_esw_bridge_mcast_vlan_flow_create(vlan_proto, port, vlan); ++ if (IS_ERR(handle)) ++ return PTR_ERR(handle); ++ ++ vlan->mcast_handle = handle; ++ return 0; ++} ++ ++void mlx5_esw_bridge_vlan_mcast_cleanup(struct mlx5_esw_bridge_vlan *vlan) ++{ ++ if (vlan->mcast_handle) ++ mlx5_del_flow_rules(vlan->mcast_handle); ++ vlan->mcast_handle = NULL; ++} ++ + static struct mlx5_flow_handle * + mlx5_esw_bridge_mcast_fwd_flow_create(struct mlx5_esw_bridge_port *port) + { +@@ -214,6 +368,10 @@ mlx5_esw_bridge_mcast_fwd_flow_create(struct mlx5_esw_bridge_port *port) + static int mlx5_esw_bridge_port_mcast_fhs_init(struct mlx5_esw_bridge_port *port) + { + struct mlx5_flow_handle *filter_handle, *fwd_handle; ++ struct mlx5_esw_bridge_vlan *vlan, *failed; ++ unsigned long index; ++ int err; ++ + + filter_handle = (port->flags & MLX5_ESW_BRIDGE_PORT_FLAG_PEER) ? + mlx5_esw_bridge_mcast_filter_flow_peer_create(port) : +@@ -223,18 +381,44 @@ static int mlx5_esw_bridge_port_mcast_fhs_init(struct mlx5_esw_bridge_port *port + + fwd_handle = mlx5_esw_bridge_mcast_fwd_flow_create(port); + if (IS_ERR(fwd_handle)) { +- mlx5_del_flow_rules(filter_handle); +- return PTR_ERR(fwd_handle); ++ err = PTR_ERR(fwd_handle); ++ goto err_fwd; ++ } ++ ++ xa_for_each(&port->vlans, index, vlan) { ++ err = mlx5_esw_bridge_vlan_mcast_init(port->bridge->vlan_proto, port, vlan); ++ if (err) { ++ failed = vlan; ++ goto err_vlan; ++ } + } + + port->mcast.filter_handle = filter_handle; + port->mcast.fwd_handle = fwd_handle; + + return 0; ++ ++err_vlan: ++ xa_for_each(&port->vlans, index, vlan) { ++ if (vlan == failed) ++ break; ++ ++ mlx5_esw_bridge_vlan_mcast_cleanup(vlan); ++ } ++ mlx5_del_flow_rules(fwd_handle); ++err_fwd: ++ mlx5_del_flow_rules(filter_handle); ++ return err; + } + + static void mlx5_esw_bridge_port_mcast_fhs_cleanup(struct mlx5_esw_bridge_port *port) + { ++ struct mlx5_esw_bridge_vlan *vlan; ++ unsigned long index; ++ ++ xa_for_each(&port->vlans, index, vlan) ++ mlx5_esw_bridge_vlan_mcast_cleanup(vlan); ++ + if (port->mcast.fwd_handle) + mlx5_del_flow_rules(port->mcast.fwd_handle); + port->mcast.fwd_handle = NULL; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h +index 7fdd719f363c..36ff32001ce8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h +@@ -83,17 +83,31 @@ static_assert(MLX5_ESW_BRIDGE_EGRESS_TABLE_SIZE == 524288); + + #define MLX5_ESW_BRIDGE_MCAST_TABLE_FILTER_GRP_SIZE 1 + #define MLX5_ESW_BRIDGE_MCAST_TABLE_FWD_GRP_SIZE 1 ++#define MLX5_ESW_BRIDGE_MCAST_TABLE_VLAN_GRP_SIZE 4095 ++#define MLX5_ESW_BRIDGE_MCAST_TABLE_QINQ_GRP_SIZE MLX5_ESW_BRIDGE_MCAST_TABLE_VLAN_GRP_SIZE + #define MLX5_ESW_BRIDGE_MCAST_TABLE_FILTER_GRP_IDX_FROM 0 + #define MLX5_ESW_BRIDGE_MCAST_TABLE_FILTER_GRP_IDX_TO \ + (MLX5_ESW_BRIDGE_MCAST_TABLE_FILTER_GRP_SIZE - 1) +-#define MLX5_ESW_BRIDGE_MCAST_TABLE_FWD_GRP_IDX_FROM \ ++#define MLX5_ESW_BRIDGE_MCAST_TABLE_VLAN_GRP_IDX_FROM \ + (MLX5_ESW_BRIDGE_MCAST_TABLE_FILTER_GRP_IDX_TO + 1) ++#define MLX5_ESW_BRIDGE_MCAST_TABLE_VLAN_GRP_IDX_TO \ ++ (MLX5_ESW_BRIDGE_MCAST_TABLE_VLAN_GRP_IDX_FROM + \ ++ MLX5_ESW_BRIDGE_MCAST_TABLE_VLAN_GRP_SIZE - 1) ++#define MLX5_ESW_BRIDGE_MCAST_TABLE_QINQ_GRP_IDX_FROM \ ++ (MLX5_ESW_BRIDGE_MCAST_TABLE_VLAN_GRP_IDX_TO + 1) ++#define MLX5_ESW_BRIDGE_MCAST_TABLE_QINQ_GRP_IDX_TO \ ++ (MLX5_ESW_BRIDGE_MCAST_TABLE_QINQ_GRP_IDX_FROM + \ ++ MLX5_ESW_BRIDGE_MCAST_TABLE_QINQ_GRP_SIZE - 1) ++#define MLX5_ESW_BRIDGE_MCAST_TABLE_FWD_GRP_IDX_FROM \ ++ (MLX5_ESW_BRIDGE_MCAST_TABLE_QINQ_GRP_IDX_TO + 1) + #define MLX5_ESW_BRIDGE_MCAST_TABLE_FWD_GRP_IDX_TO \ + (MLX5_ESW_BRIDGE_MCAST_TABLE_FWD_GRP_IDX_FROM + \ + MLX5_ESW_BRIDGE_MCAST_TABLE_FWD_GRP_SIZE - 1) + + #define MLX5_ESW_BRIDGE_MCAST_TABLE_SIZE \ + (MLX5_ESW_BRIDGE_MCAST_TABLE_FWD_GRP_IDX_TO + 1) ++static_assert(MLX5_ESW_BRIDGE_MCAST_TABLE_SIZE == 8192); ++ + enum { + MLX5_ESW_BRIDGE_LEVEL_INGRESS_TABLE, + MLX5_ESW_BRIDGE_LEVEL_EGRESS_TABLE, +@@ -144,6 +158,7 @@ struct mlx5_esw_bridge_vlan { + struct mlx5_pkt_reformat *pkt_reformat_push; + struct mlx5_pkt_reformat *pkt_reformat_pop; + struct mlx5_modify_hdr *pkt_mod_hdr_push_mark; ++ struct mlx5_flow_handle *mcast_handle; + }; + + struct mlx5_esw_bridge_port { +@@ -155,6 +170,8 @@ struct mlx5_esw_bridge_port { + struct { + struct mlx5_flow_table *ft; + struct mlx5_flow_group *filter_fg; ++ struct mlx5_flow_group *vlan_fg; ++ struct mlx5_flow_group *qinq_fg; + struct mlx5_flow_group *fwd_fg; + + struct mlx5_flow_handle *filter_handle; +@@ -188,6 +205,9 @@ struct mlx5_flow_table *mlx5_esw_bridge_table_create(int max_fte, u32 level, + + int mlx5_esw_bridge_port_mcast_init(struct mlx5_esw_bridge_port *port); + void mlx5_esw_bridge_port_mcast_cleanup(struct mlx5_esw_bridge_port *port); ++int mlx5_esw_bridge_vlan_mcast_init(u16 vlan_proto, struct mlx5_esw_bridge_port *port, ++ struct mlx5_esw_bridge_vlan *vlan); ++void mlx5_esw_bridge_vlan_mcast_cleanup(struct mlx5_esw_bridge_vlan *vlan); + + int mlx5_esw_bridge_mcast_enable(struct mlx5_esw_bridge *bridge); + void mlx5_esw_bridge_mcast_disable(struct mlx5_esw_bridge *bridge); +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0071-netlink-add-support-for-formatted-extack-messages.patch b/SPECS/kernel-hci/0071-netlink-add-support-for-formatted-extack-messages.patch new file mode 100644 index 00000000000..6e5e9fc9cf6 --- /dev/null +++ b/SPECS/kernel-hci/0071-netlink-add-support-for-formatted-extack-messages.patch @@ -0,0 +1,104 @@ +From 270782c35785f4c62a96ac3014c9ef2e5b4ed441 Mon Sep 17 00:00:00 2001 +From: Amir Tzin +Date: Mon, 29 May 2023 11:24:22 +0300 +Subject: [PATCH 56/58] netlink: add support for formatted extack messages + +Upstream Status: v6.2-rc1 +Conflicts: + - include/linux/netlink.h + context diff due to missing commit + 690252f19f0e ("netlink: add support for ext_ack missing attributes") + +commit 51c352bdbcd2 ("netlink: add support for formatted extack messages") +Author: Edward Cree +Date: Tue Oct 18 15:37:27 2022 +0100 + + netlink: add support for formatted extack messages + + Include an 80-byte buffer in struct netlink_ext_ack that can be used + for scnprintf()ed messages. This does mean that the resulting string + can't be enumerated, translated etc. in the way NL_SET_ERR_MSG() was + designed to allow. + + Signed-off-by: Edward Cree + Reviewed-by: Jakub Kicinski + Signed-off-by: Jakub Kicinski + +Change-Id: Ica7463bfae1483c6a9d9032257fd273c9e626f28 +Signed-off-by: Amir Tzin +--- + include/linux/netlink.h | 29 +++++++++++++++++++++++++++-- + 1 file changed, 27 insertions(+), 2 deletions(-) + +diff --git a/include/linux/netlink.h b/include/linux/netlink.h +index 61b1c7fcc401..f7a280517d0b 100644 +--- a/include/linux/netlink.h ++++ b/include/linux/netlink.h +@@ -64,6 +64,7 @@ netlink_kernel_create(struct net *net, int unit, struct netlink_kernel_cfg *cfg) + + /* this can be increased when necessary - don't expose to userland */ + #define NETLINK_MAX_COOKIE_LEN 20 ++#define NETLINK_MAX_FMTMSG_LEN 80 + + /** + * struct netlink_ext_ack - netlink extended ACK report struct +@@ -73,6 +74,8 @@ netlink_kernel_create(struct net *net, int unit, struct netlink_kernel_cfg *cfg) + * @policy: policy for a bad attribute + * @cookie: cookie data to return to userspace (for success) + * @cookie_len: actual cookie data length ++ * @_msg_buf: output buffer for formatted message strings - don't access ++ * directly, use %NL_SET_ERR_MSG_FMT + */ + struct netlink_ext_ack { + const char *_msg; +@@ -80,13 +83,13 @@ struct netlink_ext_ack { + const struct nla_policy *policy; + u8 cookie[NETLINK_MAX_COOKIE_LEN]; + u8 cookie_len; ++ char _msg_buf[NETLINK_MAX_FMTMSG_LEN]; + }; + + /* Always use this macro, this allows later putting the + * message into a separate section or such for things + * like translation or listing all possible messages. +- * Currently string formatting is not supported (due +- * to the lack of an output buffer.) ++ * If string formatting is needed use NL_SET_ERR_MSG_FMT. + */ + #define NL_SET_ERR_MSG(extack, msg) do { \ + static const char __msg[] = msg; \ +@@ -98,9 +101,31 @@ struct netlink_ext_ack { + __extack->_msg = __msg; \ + } while (0) + ++/* We splice fmt with %s at each end even in the snprintf so that both calls ++ * can use the same string constant, avoiding its duplication in .ro ++ */ ++#define NL_SET_ERR_MSG_FMT(extack, fmt, args...) do { \ ++ struct netlink_ext_ack *__extack = (extack); \ ++ \ ++ if (!__extack) \ ++ break; \ ++ if (snprintf(__extack->_msg_buf, NETLINK_MAX_FMTMSG_LEN, \ ++ "%s" fmt "%s", "", ##args, "") >= \ ++ NETLINK_MAX_FMTMSG_LEN) \ ++ net_warn_ratelimited("%s" fmt "%s", "truncated extack: ", \ ++ ##args, "\n"); \ ++ \ ++ do_trace_netlink_extack(__extack->_msg_buf); \ ++ \ ++ __extack->_msg = __extack->_msg_buf; \ ++} while (0) ++ + #define NL_SET_ERR_MSG_MOD(extack, msg) \ + NL_SET_ERR_MSG((extack), KBUILD_MODNAME ": " msg) + ++#define NL_SET_ERR_MSG_FMT_MOD(extack, fmt, args...) \ ++ NL_SET_ERR_MSG_FMT((extack), KBUILD_MODNAME ": " fmt, ##args) ++ + #define NL_SET_BAD_ATTR_POLICY(extack, attr, pol) do { \ + if ((extack)) { \ + (extack)->bad_attr = (attr); \ +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0072-net-mlx5-Bridge-implement-mdb-offload.patch b/SPECS/kernel-hci/0072-net-mlx5-Bridge-implement-mdb-offload.patch new file mode 100644 index 00000000000..c1a18568b6a --- /dev/null +++ b/SPECS/kernel-hci/0072-net-mlx5-Bridge-implement-mdb-offload.patch @@ -0,0 +1,683 @@ +From d3a9606f9a569a9bf349c07ed6e58a91950d7190 Mon Sep 17 00:00:00 2001 +From: Amir Tzin +Date: Mon, 29 May 2023 11:24:22 +0300 +Subject: [PATCH 57/58] net/mlx5: Bridge, implement mdb offload + +Upstream Status: v6.4-rc1 + +commit 70f0302b3f20 ("net/mlx5: Bridge, implement mdb offload") +Author: Vlad Buslov +Date: Sat Feb 4 07:58:54 2023 +0100 + + net/mlx5: Bridge, implement mdb offload + + Implement support for add/del SWITCHDEV_OBJ_ID_PORT_MDB events. For mdb + destination addresses configure egress table rules to replicate to per-port + multicast tables of all ports that are member of the multicast group as + illustrated by 'MDB1' rule in the following diagram: + + +--------+--+ + +---------------------------------------> Port 1 | | + | +-^------+--+ + | | + | | + +-----------------------------------------+ | +---------------------------+ | + | EGRESS table | | +--> PORT 1 multicast table | | + +----------------------------------+ +-----------------------------------------+ | | +---------------------------+ | + | INGRESS table | | | | | | | | + +----------------------------------+ | dst_mac=P1,vlan=X -> pop vlan, goto P1 +--+ | | FG0: | | + | | | dst_mac=P1,vlan=Y -> pop vlan, goto P1 | | | src_port=dst_port -> drop | | + | src_mac=M1,vlan=X -> goto egress +---> dst_mac=P2,vlan=X -> pop vlan, goto P2 +--+ | | FG1: | | + | ... | | dst_mac=P2,vlan=Y -> goto P2 | | | | VLAN X -> pop, goto port | | + | | | dst_mac=MDB1,vlan=Y -> goto mcast P1,P2 +-----+ | ... | | + +----------------------------------+ | | | | | VLAN Y -> pop, goto port +-------+ + +-----------------------------------------+ | | | FG3: | + | | | matchall -> goto port | + | | | | + | | +---------------------------+ + | | + | | + | | +--------+--+ + +---------------------------------------> Port 2 | | + | +-^------+--+ + | | + | | + | +---------------------------+ | + +--> PORT 2 multicast table | | + +---------------------------+ | + | | | + | FG0: | | + | src_port=dst_port -> drop | | + | FG1: | | + | VLAN X -> pop, goto port | | + | ... | | + | | | + | FG3: | | + | matchall -> goto port +-------+ + | | + +---------------------------+ + + MDB is managed by extending mlx5 bridge to store an entry in + mlx5_esw_bridge->mdb_list linked list (used to iterate over all offloaded + MDBs) and mlx5_esw_bridge->mdb_ht hash table (used to lookup existing MDB + by MAC+VLAN). Every MDB entry can be attached to arbitrary amount of bridge + ports that are stored in mlx5_esw_bridge_mdb_entry->ports xarray in order + to allow both efficient lookup of the port and also iteration over all + ports that the entry is attached to. Every time MDB is attached/detached + to/from a port, the hardware rule is recreated with list of destinations + corresponding to all attached ports. When the entry is detached from the + last port it is removed from mdb and destroyed which means that the ports + xarray also acts as implicit reference counting mechanism. + + Signed-off-by: Vlad Buslov + Reviewed-by: Maor Dickman + Reviewed-by: Roi Dayan + Signed-off-by: Saeed Mahameed + +Change-Id: I24911f5051d57c757fbecc30715215fe77b53899 +Signed-off-by: Amir Tzin +--- + .../mellanox/mlx5/core/en/rep/bridge.c | 12 + + .../ethernet/mellanox/mlx5/core/esw/bridge.c | 75 ++++- + .../ethernet/mellanox/mlx5/core/esw/bridge.h | 6 + + .../mellanox/mlx5/core/esw/bridge_mcast.c | 295 ++++++++++++++++++ + .../mellanox/mlx5/core/esw/bridge_priv.h | 29 ++ + 5 files changed, 413 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c +index 6c56a096cd4b..d1df5a93f13e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c +@@ -189,6 +189,7 @@ mlx5_esw_bridge_port_obj_add(struct net_device *dev, + struct netlink_ext_ack *extack = switchdev_notifier_info_to_extack(&port_obj_info->info); + const struct switchdev_obj *obj = port_obj_info->obj; + const struct switchdev_obj_port_vlan *vlan; ++ const struct switchdev_obj_port_mdb *mdb; + u16 vport_num, esw_owner_vhca_id; + int err; + +@@ -204,6 +205,11 @@ mlx5_esw_bridge_port_obj_add(struct net_device *dev, + err = mlx5_esw_bridge_port_vlan_add(vport_num, esw_owner_vhca_id, vlan->vid, + vlan->flags, br_offloads, extack); + break; ++ case SWITCHDEV_OBJ_ID_PORT_MDB: ++ mdb = SWITCHDEV_OBJ_PORT_MDB(obj); ++ err = mlx5_esw_bridge_port_mdb_add(vport_num, esw_owner_vhca_id, mdb->addr, ++ mdb->vid, br_offloads, extack); ++ break; + default: + return -EOPNOTSUPP; + } +@@ -217,6 +223,7 @@ mlx5_esw_bridge_port_obj_del(struct net_device *dev, + { + const struct switchdev_obj *obj = port_obj_info->obj; + const struct switchdev_obj_port_vlan *vlan; ++ const struct switchdev_obj_port_mdb *mdb; + u16 vport_num, esw_owner_vhca_id; + + if (!mlx5_esw_bridge_rep_vport_num_vhca_id_get(dev, br_offloads->esw, &vport_num, +@@ -230,6 +237,11 @@ mlx5_esw_bridge_port_obj_del(struct net_device *dev, + vlan = SWITCHDEV_OBJ_PORT_VLAN(obj); + mlx5_esw_bridge_port_vlan_del(vport_num, esw_owner_vhca_id, vlan->vid, br_offloads); + break; ++ case SWITCHDEV_OBJ_ID_PORT_MDB: ++ mdb = SWITCHDEV_OBJ_PORT_MDB(obj); ++ mlx5_esw_bridge_port_mdb_del(vport_num, esw_owner_vhca_id, mdb->addr, mdb->vid, ++ br_offloads); ++ break; + default: + return -EOPNOTSUPP; + } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +index 52c976135397..be4787539c6c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +@@ -840,6 +840,10 @@ static struct mlx5_esw_bridge *mlx5_esw_bridge_create(int ifindex, + if (err) + goto err_fdb_ht; + ++ err = mlx5_esw_bridge_mdb_init(bridge); ++ if (err) ++ goto err_mdb_ht; ++ + INIT_LIST_HEAD(&bridge->fdb_list); + bridge->ifindex = ifindex; + bridge->refcnt = 1; +@@ -849,6 +853,8 @@ static struct mlx5_esw_bridge *mlx5_esw_bridge_create(int ifindex, + + return bridge; + ++err_mdb_ht: ++ rhashtable_destroy(&bridge->fdb_ht); + err_fdb_ht: + mlx5_esw_bridge_egress_table_cleanup(bridge); + err_egress_tbl: +@@ -870,6 +876,7 @@ static void mlx5_esw_bridge_put(struct mlx5_esw_bridge_offloads *br_offloads, + mlx5_esw_bridge_egress_table_cleanup(bridge); + mlx5_esw_bridge_mcast_disable(bridge); + list_del(&bridge->list); ++ mlx5_esw_bridge_mdb_cleanup(bridge); + rhashtable_destroy(&bridge->fdb_ht); + kvfree(bridge); + +@@ -909,7 +916,7 @@ static unsigned long mlx5_esw_bridge_port_key_from_data(u16 vport_num, u16 esw_o + return vport_num | (unsigned long)esw_owner_vhca_id << sizeof(vport_num) * BITS_PER_BYTE; + } + +-static unsigned long mlx5_esw_bridge_port_key(struct mlx5_esw_bridge_port *port) ++unsigned long mlx5_esw_bridge_port_key(struct mlx5_esw_bridge_port *port) + { + return mlx5_esw_bridge_port_key_from_data(port->vport_num, port->esw_owner_vhca_id); + } +@@ -1192,7 +1199,8 @@ static void mlx5_esw_bridge_vlan_erase(struct mlx5_esw_bridge_port *port, + xa_erase(&port->vlans, vlan->vid); + } + +-static void mlx5_esw_bridge_vlan_flush(struct mlx5_esw_bridge_vlan *vlan, ++static void mlx5_esw_bridge_vlan_flush(struct mlx5_esw_bridge_port *port, ++ struct mlx5_esw_bridge_vlan *vlan, + struct mlx5_esw_bridge *bridge) + { + struct mlx5_eswitch *esw = bridge->br_offloads->esw; +@@ -1200,6 +1208,7 @@ static void mlx5_esw_bridge_vlan_flush(struct mlx5_esw_bridge_vlan *vlan, + + list_for_each_entry_safe(entry, tmp, &vlan->fdb_list, vlan_list) + mlx5_esw_bridge_fdb_entry_notify_and_cleanup(entry, bridge); ++ mlx5_esw_bridge_port_mdb_vlan_flush(port, vlan); + + if (vlan->mcast_handle) + mlx5_esw_bridge_vlan_push_pop_fhs_cleanup(vlan); +@@ -1216,7 +1225,7 @@ static void mlx5_esw_bridge_vlan_cleanup(struct mlx5_esw_bridge_port *port, + struct mlx5_esw_bridge *bridge) + { + trace_mlx5_esw_bridge_vlan_cleanup(vlan); +- mlx5_esw_bridge_vlan_flush(vlan, bridge); ++ mlx5_esw_bridge_vlan_flush(port, vlan, bridge); + mlx5_esw_bridge_vlan_erase(port, vlan); + kvfree(vlan); + } +@@ -1240,7 +1249,7 @@ static int mlx5_esw_bridge_port_vlans_recreate(struct mlx5_esw_bridge_port *port + int err; + + xa_for_each(&port->vlans, i, vlan) { +- mlx5_esw_bridge_vlan_flush(vlan, bridge); ++ mlx5_esw_bridge_vlan_flush(port, vlan, bridge); + err = mlx5_esw_bridge_vlan_push_pop_create(bridge->vlan_proto, vlan->flags, port, + vlan, br_offloads->esw); + if (err) { +@@ -1450,6 +1459,7 @@ int mlx5_esw_bridge_vlan_filtering_set(u16 vport_num, u16 esw_owner_vhca_id, boo + return 0; + + mlx5_esw_bridge_fdb_flush(bridge); ++ mlx5_esw_bridge_mdb_flush(bridge); + if (enable) + bridge->flags |= MLX5_ESW_BRIDGE_VLAN_FILTERING_FLAG; + else +@@ -1476,6 +1486,7 @@ int mlx5_esw_bridge_vlan_proto_set(u16 vport_num, u16 esw_owner_vhca_id, u16 pro + } + + mlx5_esw_bridge_fdb_flush(bridge); ++ mlx5_esw_bridge_mdb_flush(bridge); + bridge->vlan_proto = proto; + mlx5_esw_bridge_vlans_recreate(bridge); + +@@ -1792,6 +1803,62 @@ void mlx5_esw_bridge_update(struct mlx5_esw_bridge_offloads *br_offloads) + } + } + ++int mlx5_esw_bridge_port_mdb_add(u16 vport_num, u16 esw_owner_vhca_id, const unsigned char *addr, ++ u16 vid, struct mlx5_esw_bridge_offloads *br_offloads, ++ struct netlink_ext_ack *extack) ++{ ++ struct mlx5_esw_bridge_vlan *vlan; ++ struct mlx5_esw_bridge_port *port; ++ struct mlx5_esw_bridge *bridge; ++ int err; ++ ++ port = mlx5_esw_bridge_port_lookup(vport_num, esw_owner_vhca_id, br_offloads); ++ if (!port) { ++ esw_warn(br_offloads->esw->dev, ++ "Failed to lookup bridge port to add MDB (MAC=%pM,vport=%u)\n", ++ addr, vport_num); ++ NL_SET_ERR_MSG_FMT_MOD(extack, ++ "Failed to lookup bridge port to add MDB (MAC=%pM,vport=%u)\n", ++ addr, vport_num); ++ return -EINVAL; ++ } ++ ++ bridge = port->bridge; ++ if (bridge->flags & MLX5_ESW_BRIDGE_VLAN_FILTERING_FLAG && vid) { ++ vlan = mlx5_esw_bridge_vlan_lookup(vid, port); ++ if (!vlan) { ++ esw_warn(br_offloads->esw->dev, ++ "Failed to lookup bridge port vlan metadata to create MDB (MAC=%pM,vid=%u,vport=%u)\n", ++ addr, vid, vport_num); ++ NL_SET_ERR_MSG_FMT_MOD(extack, ++ "Failed to lookup bridge port vlan metadata to create MDB (MAC=%pM,vid=%u,vport=%u)\n", ++ addr, vid, vport_num); ++ return -EINVAL; ++ } ++ } ++ ++ err = mlx5_esw_bridge_port_mdb_attach(port, addr, vid); ++ if (err) { ++ NL_SET_ERR_MSG_FMT_MOD(extack, "Failed to add MDB (MAC=%pM,vid=%u,vport=%u)\n", ++ addr, vid, vport_num); ++ return err; ++ } ++ ++ return 0; ++} ++ ++void mlx5_esw_bridge_port_mdb_del(u16 vport_num, u16 esw_owner_vhca_id, const unsigned char *addr, ++ u16 vid, struct mlx5_esw_bridge_offloads *br_offloads) ++{ ++ struct mlx5_esw_bridge_port *port; ++ ++ port = mlx5_esw_bridge_port_lookup(vport_num, esw_owner_vhca_id, br_offloads); ++ if (!port) ++ return; ++ ++ mlx5_esw_bridge_port_mdb_detach(port, addr, vid); ++} ++ + static void mlx5_esw_bridge_flush(struct mlx5_esw_bridge_offloads *br_offloads) + { + struct mlx5_esw_bridge_port *port; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.h b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.h +index b18f137173d9..9cab66467289 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.h +@@ -79,4 +79,10 @@ int mlx5_esw_bridge_port_vlan_add(u16 vport_num, u16 esw_owner_vhca_id, u16 vid, + void mlx5_esw_bridge_port_vlan_del(u16 vport_num, u16 esw_owner_vhca_id, u16 vid, + struct mlx5_esw_bridge_offloads *br_offloads); + ++int mlx5_esw_bridge_port_mdb_add(u16 vport_num, u16 esw_owner_vhca_id, const unsigned char *addr, ++ u16 vid, struct mlx5_esw_bridge_offloads *br_offloads, ++ struct netlink_ext_ack *extack); ++void mlx5_esw_bridge_port_mdb_del(u16 vport_num, u16 esw_owner_vhca_id, const unsigned char *addr, ++ u16 vid, struct mlx5_esw_bridge_offloads *br_offloads); ++ + #endif /* __MLX5_ESW_BRIDGE_H__ */ +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c +index 99e2f9fc11a2..d17fe6d374b5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c +@@ -6,6 +6,300 @@ + #include "eswitch.h" + #include "bridge_priv.h" + ++static const struct rhashtable_params mdb_ht_params = { ++ .key_offset = offsetof(struct mlx5_esw_bridge_mdb_entry, key), ++ .key_len = sizeof(struct mlx5_esw_bridge_mdb_key), ++ .head_offset = offsetof(struct mlx5_esw_bridge_mdb_entry, ht_node), ++ .automatic_shrinking = true, ++}; ++ ++int mlx5_esw_bridge_mdb_init(struct mlx5_esw_bridge *bridge) ++{ ++ INIT_LIST_HEAD(&bridge->mdb_list); ++ return rhashtable_init(&bridge->mdb_ht, &mdb_ht_params); ++} ++ ++void mlx5_esw_bridge_mdb_cleanup(struct mlx5_esw_bridge *bridge) ++{ ++ rhashtable_destroy(&bridge->mdb_ht); ++} ++ ++static struct mlx5_esw_bridge_port * ++mlx5_esw_bridge_mdb_port_lookup(struct mlx5_esw_bridge_port *port, ++ struct mlx5_esw_bridge_mdb_entry *entry) ++{ ++ return xa_load(&entry->ports, mlx5_esw_bridge_port_key(port)); ++} ++ ++static int mlx5_esw_bridge_mdb_port_insert(struct mlx5_esw_bridge_port *port, ++ struct mlx5_esw_bridge_mdb_entry *entry) ++{ ++ int err = xa_insert(&entry->ports, mlx5_esw_bridge_port_key(port), port, GFP_KERNEL); ++ ++ if (!err) ++ entry->num_ports++; ++ return err; ++} ++ ++static void mlx5_esw_bridge_mdb_port_remove(struct mlx5_esw_bridge_port *port, ++ struct mlx5_esw_bridge_mdb_entry *entry) ++{ ++ xa_erase(&entry->ports, mlx5_esw_bridge_port_key(port)); ++ entry->num_ports--; ++} ++ ++static struct mlx5_flow_handle * ++mlx5_esw_bridge_mdb_flow_create(u16 esw_owner_vhca_id, struct mlx5_esw_bridge_mdb_entry *entry, ++ struct mlx5_esw_bridge *bridge) ++{ ++ struct mlx5_flow_act flow_act = { ++ .action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST, ++ .flags = FLOW_ACT_NO_APPEND | FLOW_ACT_IGNORE_FLOW_LEVEL, ++ }; ++ int num_dests = entry->num_ports, i = 0; ++ struct mlx5_flow_destination *dests; ++ struct mlx5_esw_bridge_port *port; ++ struct mlx5_flow_spec *rule_spec; ++ struct mlx5_flow_handle *handle; ++ u8 *dmac_v, *dmac_c; ++ unsigned long idx; ++ ++ rule_spec = kvzalloc(sizeof(*rule_spec), GFP_KERNEL); ++ if (!rule_spec) ++ return ERR_PTR(-ENOMEM); ++ ++ dests = kvcalloc(num_dests, sizeof(*dests), GFP_KERNEL); ++ if (!dests) { ++ kvfree(rule_spec); ++ return ERR_PTR(-ENOMEM); ++ } ++ ++ xa_for_each(&entry->ports, idx, port) { ++ dests[i].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; ++ dests[i].ft = port->mcast.ft; ++ i++; ++ } ++ ++ rule_spec->match_criteria_enable = MLX5_MATCH_OUTER_HEADERS; ++ dmac_v = MLX5_ADDR_OF(fte_match_param, rule_spec->match_value, outer_headers.dmac_47_16); ++ ether_addr_copy(dmac_v, entry->key.addr); ++ dmac_c = MLX5_ADDR_OF(fte_match_param, rule_spec->match_criteria, outer_headers.dmac_47_16); ++ eth_broadcast_addr(dmac_c); ++ ++ if (entry->key.vid) { ++ if (bridge->vlan_proto == ETH_P_8021Q) { ++ MLX5_SET_TO_ONES(fte_match_param, rule_spec->match_criteria, ++ outer_headers.cvlan_tag); ++ MLX5_SET_TO_ONES(fte_match_param, rule_spec->match_value, ++ outer_headers.cvlan_tag); ++ } else if (bridge->vlan_proto == ETH_P_8021AD) { ++ MLX5_SET_TO_ONES(fte_match_param, rule_spec->match_criteria, ++ outer_headers.svlan_tag); ++ MLX5_SET_TO_ONES(fte_match_param, rule_spec->match_value, ++ outer_headers.svlan_tag); ++ } ++ MLX5_SET_TO_ONES(fte_match_param, rule_spec->match_criteria, ++ outer_headers.first_vid); ++ MLX5_SET(fte_match_param, rule_spec->match_value, outer_headers.first_vid, ++ entry->key.vid); ++ } ++ ++ handle = mlx5_add_flow_rules(bridge->egress_ft, rule_spec, &flow_act, dests, num_dests); ++ ++ kvfree(dests); ++ kvfree(rule_spec); ++ return handle; ++} ++ ++static int ++mlx5_esw_bridge_port_mdb_offload(struct mlx5_esw_bridge_port *port, ++ struct mlx5_esw_bridge_mdb_entry *entry) ++{ ++ struct mlx5_flow_handle *handle; ++ ++ handle = mlx5_esw_bridge_mdb_flow_create(port->esw_owner_vhca_id, entry, port->bridge); ++ if (entry->egress_handle) { ++ mlx5_del_flow_rules(entry->egress_handle); ++ entry->egress_handle = NULL; ++ } ++ if (IS_ERR(handle)) ++ return PTR_ERR(handle); ++ ++ entry->egress_handle = handle; ++ return 0; ++} ++ ++static struct mlx5_esw_bridge_mdb_entry * ++mlx5_esw_bridge_mdb_lookup(struct mlx5_esw_bridge *bridge, ++ const unsigned char *addr, u16 vid) ++{ ++ struct mlx5_esw_bridge_mdb_key key = {}; ++ ++ ether_addr_copy(key.addr, addr); ++ key.vid = vid; ++ return rhashtable_lookup_fast(&bridge->mdb_ht, &key, mdb_ht_params); ++} ++ ++static struct mlx5_esw_bridge_mdb_entry * ++mlx5_esw_bridge_port_mdb_entry_init(struct mlx5_esw_bridge_port *port, ++ const unsigned char *addr, u16 vid) ++{ ++ struct mlx5_esw_bridge *bridge = port->bridge; ++ struct mlx5_esw_bridge_mdb_entry *entry; ++ int err; ++ ++ entry = kvzalloc(sizeof(*entry), GFP_KERNEL); ++ if (!entry) ++ return ERR_PTR(-ENOMEM); ++ ++ ether_addr_copy(entry->key.addr, addr); ++ entry->key.vid = vid; ++ xa_init(&entry->ports); ++ err = rhashtable_insert_fast(&bridge->mdb_ht, &entry->ht_node, mdb_ht_params); ++ if (err) ++ goto err_ht_insert; ++ ++ list_add(&entry->list, &bridge->mdb_list); ++ ++ return entry; ++ ++err_ht_insert: ++ xa_destroy(&entry->ports); ++ kvfree(entry); ++ return ERR_PTR(err); ++} ++ ++static void mlx5_esw_bridge_port_mdb_entry_cleanup(struct mlx5_esw_bridge *bridge, ++ struct mlx5_esw_bridge_mdb_entry *entry) ++{ ++ if (entry->egress_handle) ++ mlx5_del_flow_rules(entry->egress_handle); ++ list_del(&entry->list); ++ rhashtable_remove_fast(&bridge->mdb_ht, &entry->ht_node, mdb_ht_params); ++ xa_destroy(&entry->ports); ++ kvfree(entry); ++} ++ ++int mlx5_esw_bridge_port_mdb_attach(struct mlx5_esw_bridge_port *port, const unsigned char *addr, ++ u16 vid) ++{ ++ struct mlx5_esw_bridge *bridge = port->bridge; ++ struct mlx5_esw_bridge_mdb_entry *entry; ++ int err; ++ ++ if (!(bridge->flags & MLX5_ESW_BRIDGE_MCAST_FLAG)) ++ return -EOPNOTSUPP; ++ ++ entry = mlx5_esw_bridge_mdb_lookup(bridge, addr, vid); ++ if (entry) { ++ if (mlx5_esw_bridge_mdb_port_lookup(port, entry)) { ++ esw_warn(bridge->br_offloads->esw->dev, "MDB attach entry is already attached to port (MAC=%pM,vid=%u,vport=%u)\n", ++ addr, vid, port->vport_num); ++ return 0; ++ } ++ } else { ++ entry = mlx5_esw_bridge_port_mdb_entry_init(port, addr, vid); ++ if (IS_ERR(entry)) { ++ err = PTR_ERR(entry); ++ esw_warn(bridge->br_offloads->esw->dev, "MDB attach failed to init entry (MAC=%pM,vid=%u,vport=%u,err=%d)\n", ++ addr, vid, port->vport_num, err); ++ return err; ++ } ++ } ++ ++ err = mlx5_esw_bridge_mdb_port_insert(port, entry); ++ if (err) { ++ if (!entry->num_ports) ++ mlx5_esw_bridge_port_mdb_entry_cleanup(bridge, entry); /* new mdb entry */ ++ esw_warn(bridge->br_offloads->esw->dev, ++ "MDB attach failed to insert port (MAC=%pM,vid=%u,vport=%u,err=%d)\n", ++ addr, vid, port->vport_num, err); ++ return err; ++ } ++ ++ err = mlx5_esw_bridge_port_mdb_offload(port, entry); ++ if (err) ++ /* Single mdb can be used by multiple ports, so just log the ++ * error and continue. ++ */ ++ esw_warn(bridge->br_offloads->esw->dev, "MDB attach failed to offload (MAC=%pM,vid=%u,vport=%u,err=%d)\n", ++ addr, vid, port->vport_num, err); ++ return 0; ++} ++ ++static void mlx5_esw_bridge_port_mdb_entry_detach(struct mlx5_esw_bridge_port *port, ++ struct mlx5_esw_bridge_mdb_entry *entry) ++{ ++ struct mlx5_esw_bridge *bridge = port->bridge; ++ int err; ++ ++ mlx5_esw_bridge_mdb_port_remove(port, entry); ++ if (!entry->num_ports) { ++ mlx5_esw_bridge_port_mdb_entry_cleanup(bridge, entry); ++ return; ++ } ++ ++ err = mlx5_esw_bridge_port_mdb_offload(port, entry); ++ if (err) ++ /* Single mdb can be used by multiple ports, so just log the ++ * error and continue. ++ */ ++ esw_warn(bridge->br_offloads->esw->dev, "MDB detach failed to offload (MAC=%pM,vid=%u,vport=%u)\n", ++ entry->key.addr, entry->key.vid, port->vport_num); ++} ++ ++void mlx5_esw_bridge_port_mdb_detach(struct mlx5_esw_bridge_port *port, const unsigned char *addr, ++ u16 vid) ++{ ++ struct mlx5_esw_bridge *bridge = port->bridge; ++ struct mlx5_esw_bridge_mdb_entry *entry; ++ ++ entry = mlx5_esw_bridge_mdb_lookup(bridge, addr, vid); ++ if (!entry) { ++ esw_debug(bridge->br_offloads->esw->dev, ++ "MDB detach entry not found (MAC=%pM,vid=%u,vport=%u)\n", ++ addr, vid, port->vport_num); ++ return; ++ } ++ ++ if (!mlx5_esw_bridge_mdb_port_lookup(port, entry)) { ++ esw_debug(bridge->br_offloads->esw->dev, ++ "MDB detach entry not attached to the port (MAC=%pM,vid=%u,vport=%u)\n", ++ addr, vid, port->vport_num); ++ return; ++ } ++ ++ mlx5_esw_bridge_port_mdb_entry_detach(port, entry); ++} ++ ++void mlx5_esw_bridge_port_mdb_vlan_flush(struct mlx5_esw_bridge_port *port, ++ struct mlx5_esw_bridge_vlan *vlan) ++{ ++ struct mlx5_esw_bridge *bridge = port->bridge; ++ struct mlx5_esw_bridge_mdb_entry *entry, *tmp; ++ ++ list_for_each_entry_safe(entry, tmp, &bridge->mdb_list, list) ++ if (entry->key.vid == vlan->vid && mlx5_esw_bridge_mdb_port_lookup(port, entry)) ++ mlx5_esw_bridge_port_mdb_entry_detach(port, entry); ++} ++ ++static void mlx5_esw_bridge_port_mdb_flush(struct mlx5_esw_bridge_port *port) ++{ ++ struct mlx5_esw_bridge *bridge = port->bridge; ++ struct mlx5_esw_bridge_mdb_entry *entry, *tmp; ++ ++ list_for_each_entry_safe(entry, tmp, &bridge->mdb_list, list) ++ if (mlx5_esw_bridge_mdb_port_lookup(port, entry)) ++ mlx5_esw_bridge_port_mdb_entry_detach(port, entry); ++} ++ ++void mlx5_esw_bridge_mdb_flush(struct mlx5_esw_bridge *bridge) ++{ ++ struct mlx5_esw_bridge_mdb_entry *entry, *tmp; ++ ++ list_for_each_entry_safe(entry, tmp, &bridge->mdb_list, list) ++ mlx5_esw_bridge_port_mdb_entry_cleanup(bridge, entry); ++} + static int mlx5_esw_bridge_port_mcast_fts_init(struct mlx5_esw_bridge_port *port, + struct mlx5_esw_bridge *bridge) + { +@@ -457,6 +751,7 @@ int mlx5_esw_bridge_port_mcast_init(struct mlx5_esw_bridge_port *port) + + void mlx5_esw_bridge_port_mcast_cleanup(struct mlx5_esw_bridge_port *port) + { ++ mlx5_esw_bridge_port_mdb_flush(port); + mlx5_esw_bridge_port_mcast_fhs_cleanup(port); + mlx5_esw_bridge_port_mcast_fgs_cleanup(port); + mlx5_esw_bridge_port_mcast_fts_cleanup(port); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h +index 36ff32001ce8..849028f94be2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h +@@ -125,6 +125,11 @@ struct mlx5_esw_bridge_fdb_key { + u16 vid; + }; + ++struct mlx5_esw_bridge_mdb_key { ++ unsigned char addr[ETH_ALEN]; ++ u16 vid; ++}; ++ + enum { + MLX5_ESW_BRIDGE_FLAG_ADDED_BY_USER = BIT(0), + MLX5_ESW_BRIDGE_FLAG_PEER = BIT(1), +@@ -151,6 +156,16 @@ struct mlx5_esw_bridge_fdb_entry { + struct mlx5_flow_handle *filter_handle; + }; + ++struct mlx5_esw_bridge_mdb_entry { ++ struct mlx5_esw_bridge_mdb_key key; ++ struct rhash_head ht_node; ++ struct list_head list; ++ struct xarray ports; ++ int num_ports; ++ ++ struct mlx5_flow_handle *egress_handle; ++}; ++ + struct mlx5_esw_bridge_vlan { + u16 vid; + u16 flags; +@@ -188,6 +203,9 @@ struct mlx5_esw_bridge { + struct list_head fdb_list; + struct rhashtable fdb_ht; + ++ struct list_head mdb_list; ++ struct rhashtable mdb_ht; ++ + struct mlx5_flow_table *egress_ft; + struct mlx5_flow_group *egress_vlan_fg; + struct mlx5_flow_group *egress_qinq_fg; +@@ -202,6 +220,7 @@ struct mlx5_esw_bridge { + + struct mlx5_flow_table *mlx5_esw_bridge_table_create(int max_fte, u32 level, + struct mlx5_eswitch *esw); ++unsigned long mlx5_esw_bridge_port_key(struct mlx5_esw_bridge_port *port); + + int mlx5_esw_bridge_port_mcast_init(struct mlx5_esw_bridge_port *port); + void mlx5_esw_bridge_port_mcast_cleanup(struct mlx5_esw_bridge_port *port); +@@ -212,4 +231,14 @@ void mlx5_esw_bridge_vlan_mcast_cleanup(struct mlx5_esw_bridge_vlan *vlan); + int mlx5_esw_bridge_mcast_enable(struct mlx5_esw_bridge *bridge); + void mlx5_esw_bridge_mcast_disable(struct mlx5_esw_bridge *bridge); + ++int mlx5_esw_bridge_mdb_init(struct mlx5_esw_bridge *bridge); ++void mlx5_esw_bridge_mdb_cleanup(struct mlx5_esw_bridge *bridge); ++int mlx5_esw_bridge_port_mdb_attach(struct mlx5_esw_bridge_port *port, const unsigned char *addr, ++ u16 vid); ++void mlx5_esw_bridge_port_mdb_detach(struct mlx5_esw_bridge_port *port, const unsigned char *addr, ++ u16 vid); ++void mlx5_esw_bridge_port_mdb_vlan_flush(struct mlx5_esw_bridge_port *port, ++ struct mlx5_esw_bridge_vlan *vlan); ++void mlx5_esw_bridge_mdb_flush(struct mlx5_esw_bridge *bridge); ++ + #endif /* _MLX5_ESW_BRIDGE_PRIVATE_ */ +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0073-net-mlx5-Bridge-add-tracepoints-for-multicast.patch b/SPECS/kernel-hci/0073-net-mlx5-Bridge-add-tracepoints-for-multicast.patch new file mode 100644 index 00000000000..ac2a3fd69a5 --- /dev/null +++ b/SPECS/kernel-hci/0073-net-mlx5-Bridge-add-tracepoints-for-multicast.patch @@ -0,0 +1,252 @@ +From 542c27ae4bdc141506c7406eff99c0138c3b6748 Mon Sep 17 00:00:00 2001 +From: Amir Tzin +Date: Mon, 29 May 2023 11:24:23 +0300 +Subject: [PATCH 58/58] net/mlx5: Bridge, add tracepoints for multicast + +Upstream Status: v6.4-rc1 + +commit 55f3e740f7f6 ("net/mlx5: Bridge, add tracepoints for multicast") +Author: Vlad Buslov +Date: Tue Feb 14 22:00:41 2023 +0100 + + net/mlx5: Bridge, add tracepoints for multicast + + Pass target struct net_device to mdb attach/detach handler in order to + expose the port name to the new tracepoints. Implemented following + tracepoints: + + - Attach mdb to port. + - Detach mdb from port. + + Usage example: + + ># cd /sys/kernel/debug/tracing + ># echo mlx5:mlx5_esw_bridge_port_mdb_attach >> set_event + ># cat trace + ... + kworker/0:0-19071 [000] ..... 259004.253848: mlx5_esw_bridge_port_mdb_attach: net_device=enp8s0f0_0 addr=33:33:ff:00:00:01 vid=0 num_ports=1 offloaded=1 + + Signed-off-by: Vlad Buslov + Reviewed-by: Maor Dickman + Reviewed-by: Roi Dayan + Signed-off-by: Saeed Mahameed + +Change-Id: If6de1dcbb7630979b705991a7663726c6172d575 +Signed-off-by: Amir Tzin +--- + .../mellanox/mlx5/core/en/rep/bridge.c | 4 +-- + .../ethernet/mellanox/mlx5/core/esw/bridge.c | 14 ++++---- + .../ethernet/mellanox/mlx5/core/esw/bridge.h | 10 +++--- + .../mellanox/mlx5/core/esw/bridge_mcast.c | 12 ++++--- + .../mellanox/mlx5/core/esw/bridge_priv.h | 8 ++--- + .../mlx5/core/esw/diag/bridge_tracepoint.h | 35 +++++++++++++++++++ + 6 files changed, 63 insertions(+), 20 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c +index d1df5a93f13e..d4416ba6ab25 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c +@@ -207,7 +207,7 @@ mlx5_esw_bridge_port_obj_add(struct net_device *dev, + break; + case SWITCHDEV_OBJ_ID_PORT_MDB: + mdb = SWITCHDEV_OBJ_PORT_MDB(obj); +- err = mlx5_esw_bridge_port_mdb_add(vport_num, esw_owner_vhca_id, mdb->addr, ++ err = mlx5_esw_bridge_port_mdb_add(dev, vport_num, esw_owner_vhca_id, mdb->addr, + mdb->vid, br_offloads, extack); + break; + default: +@@ -239,7 +239,7 @@ mlx5_esw_bridge_port_obj_del(struct net_device *dev, + break; + case SWITCHDEV_OBJ_ID_PORT_MDB: + mdb = SWITCHDEV_OBJ_PORT_MDB(obj); +- mlx5_esw_bridge_port_mdb_del(vport_num, esw_owner_vhca_id, mdb->addr, mdb->vid, ++ mlx5_esw_bridge_port_mdb_del(dev, vport_num, esw_owner_vhca_id, mdb->addr, mdb->vid, + br_offloads); + break; + default: +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +index be4787539c6c..1ba03e219111 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +@@ -1803,8 +1803,9 @@ void mlx5_esw_bridge_update(struct mlx5_esw_bridge_offloads *br_offloads) + } + } + +-int mlx5_esw_bridge_port_mdb_add(u16 vport_num, u16 esw_owner_vhca_id, const unsigned char *addr, +- u16 vid, struct mlx5_esw_bridge_offloads *br_offloads, ++int mlx5_esw_bridge_port_mdb_add(struct net_device *dev, u16 vport_num, u16 esw_owner_vhca_id, ++ const unsigned char *addr, u16 vid, ++ struct mlx5_esw_bridge_offloads *br_offloads, + struct netlink_ext_ack *extack) + { + struct mlx5_esw_bridge_vlan *vlan; +@@ -1837,7 +1838,7 @@ int mlx5_esw_bridge_port_mdb_add(u16 vport_num, u16 esw_owner_vhca_id, const uns + } + } + +- err = mlx5_esw_bridge_port_mdb_attach(port, addr, vid); ++ err = mlx5_esw_bridge_port_mdb_attach(dev, port, addr, vid); + if (err) { + NL_SET_ERR_MSG_FMT_MOD(extack, "Failed to add MDB (MAC=%pM,vid=%u,vport=%u)\n", + addr, vid, vport_num); +@@ -1847,8 +1848,9 @@ int mlx5_esw_bridge_port_mdb_add(u16 vport_num, u16 esw_owner_vhca_id, const uns + return 0; + } + +-void mlx5_esw_bridge_port_mdb_del(u16 vport_num, u16 esw_owner_vhca_id, const unsigned char *addr, +- u16 vid, struct mlx5_esw_bridge_offloads *br_offloads) ++void mlx5_esw_bridge_port_mdb_del(struct net_device *dev, u16 vport_num, u16 esw_owner_vhca_id, ++ const unsigned char *addr, u16 vid, ++ struct mlx5_esw_bridge_offloads *br_offloads) + { + struct mlx5_esw_bridge_port *port; + +@@ -1856,7 +1858,7 @@ void mlx5_esw_bridge_port_mdb_del(u16 vport_num, u16 esw_owner_vhca_id, const un + if (!port) + return; + +- mlx5_esw_bridge_port_mdb_detach(port, addr, vid); ++ mlx5_esw_bridge_port_mdb_detach(dev, port, addr, vid); + } + + static void mlx5_esw_bridge_flush(struct mlx5_esw_bridge_offloads *br_offloads) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.h b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.h +index 9cab66467289..a9dd18c73d6a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.h +@@ -79,10 +79,12 @@ int mlx5_esw_bridge_port_vlan_add(u16 vport_num, u16 esw_owner_vhca_id, u16 vid, + void mlx5_esw_bridge_port_vlan_del(u16 vport_num, u16 esw_owner_vhca_id, u16 vid, + struct mlx5_esw_bridge_offloads *br_offloads); + +-int mlx5_esw_bridge_port_mdb_add(u16 vport_num, u16 esw_owner_vhca_id, const unsigned char *addr, +- u16 vid, struct mlx5_esw_bridge_offloads *br_offloads, ++int mlx5_esw_bridge_port_mdb_add(struct net_device *dev, u16 vport_num, u16 esw_owner_vhca_id, ++ const unsigned char *addr, u16 vid, ++ struct mlx5_esw_bridge_offloads *br_offloads, + struct netlink_ext_ack *extack); +-void mlx5_esw_bridge_port_mdb_del(u16 vport_num, u16 esw_owner_vhca_id, const unsigned char *addr, +- u16 vid, struct mlx5_esw_bridge_offloads *br_offloads); ++void mlx5_esw_bridge_port_mdb_del(struct net_device *dev, u16 vport_num, u16 esw_owner_vhca_id, ++ const unsigned char *addr, u16 vid, ++ struct mlx5_esw_bridge_offloads *br_offloads); + + #endif /* __MLX5_ESW_BRIDGE_H__ */ +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c +index d17fe6d374b5..2eae594a5e80 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_mcast.c +@@ -5,6 +5,7 @@ + #include "bridge.h" + #include "eswitch.h" + #include "bridge_priv.h" ++#include "diag/bridge_tracepoint.h" + + static const struct rhashtable_params mdb_ht_params = { + .key_offset = offsetof(struct mlx5_esw_bridge_mdb_entry, key), +@@ -180,8 +181,8 @@ static void mlx5_esw_bridge_port_mdb_entry_cleanup(struct mlx5_esw_bridge *bridg + kvfree(entry); + } + +-int mlx5_esw_bridge_port_mdb_attach(struct mlx5_esw_bridge_port *port, const unsigned char *addr, +- u16 vid) ++int mlx5_esw_bridge_port_mdb_attach(struct net_device *dev, struct mlx5_esw_bridge_port *port, ++ const unsigned char *addr, u16 vid) + { + struct mlx5_esw_bridge *bridge = port->bridge; + struct mlx5_esw_bridge_mdb_entry *entry; +@@ -224,6 +225,8 @@ int mlx5_esw_bridge_port_mdb_attach(struct mlx5_esw_bridge_port *port, const uns + */ + esw_warn(bridge->br_offloads->esw->dev, "MDB attach failed to offload (MAC=%pM,vid=%u,vport=%u,err=%d)\n", + addr, vid, port->vport_num, err); ++ ++ trace_mlx5_esw_bridge_port_mdb_attach(dev, entry); + return 0; + } + +@@ -248,8 +251,8 @@ static void mlx5_esw_bridge_port_mdb_entry_detach(struct mlx5_esw_bridge_port *p + entry->key.addr, entry->key.vid, port->vport_num); + } + +-void mlx5_esw_bridge_port_mdb_detach(struct mlx5_esw_bridge_port *port, const unsigned char *addr, +- u16 vid) ++void mlx5_esw_bridge_port_mdb_detach(struct net_device *dev, struct mlx5_esw_bridge_port *port, ++ const unsigned char *addr, u16 vid) + { + struct mlx5_esw_bridge *bridge = port->bridge; + struct mlx5_esw_bridge_mdb_entry *entry; +@@ -269,6 +272,7 @@ void mlx5_esw_bridge_port_mdb_detach(struct mlx5_esw_bridge_port *port, const un + return; + } + ++ trace_mlx5_esw_bridge_port_mdb_detach(dev, entry); + mlx5_esw_bridge_port_mdb_entry_detach(port, entry); + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h +index 849028f94be2..c9595801bdb4 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h +@@ -233,10 +233,10 @@ void mlx5_esw_bridge_mcast_disable(struct mlx5_esw_bridge *bridge); + + int mlx5_esw_bridge_mdb_init(struct mlx5_esw_bridge *bridge); + void mlx5_esw_bridge_mdb_cleanup(struct mlx5_esw_bridge *bridge); +-int mlx5_esw_bridge_port_mdb_attach(struct mlx5_esw_bridge_port *port, const unsigned char *addr, +- u16 vid); +-void mlx5_esw_bridge_port_mdb_detach(struct mlx5_esw_bridge_port *port, const unsigned char *addr, +- u16 vid); ++int mlx5_esw_bridge_port_mdb_attach(struct net_device *dev, struct mlx5_esw_bridge_port *port, ++ const unsigned char *addr, u16 vid); ++void mlx5_esw_bridge_port_mdb_detach(struct net_device *dev, struct mlx5_esw_bridge_port *port, ++ const unsigned char *addr, u16 vid); + void mlx5_esw_bridge_port_mdb_vlan_flush(struct mlx5_esw_bridge_port *port, + struct mlx5_esw_bridge_vlan *vlan); + void mlx5_esw_bridge_mdb_flush(struct mlx5_esw_bridge *bridge); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/diag/bridge_tracepoint.h b/drivers/net/ethernet/mellanox/mlx5/core/esw/diag/bridge_tracepoint.h +index 51ac24e6ec3c..1808da214094 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/diag/bridge_tracepoint.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/diag/bridge_tracepoint.h +@@ -110,6 +110,41 @@ DEFINE_EVENT(mlx5_esw_bridge_port_template, + TP_ARGS(port) + ); + ++DECLARE_EVENT_CLASS(mlx5_esw_bridge_mdb_port_change_template, ++ TP_PROTO(const struct net_device *dev, ++ const struct mlx5_esw_bridge_mdb_entry *mdb), ++ TP_ARGS(dev, mdb), ++ TP_STRUCT__entry( ++ __array(char, dev_name, IFNAMSIZ) ++ __array(unsigned char, addr, ETH_ALEN) ++ __field(u16, vid) ++ __field(int, num_ports) ++ __field(bool, offloaded)), ++ TP_fast_assign( ++ strscpy(__entry->dev_name, netdev_name(dev), IFNAMSIZ); ++ memcpy(__entry->addr, mdb->key.addr, ETH_ALEN); ++ __entry->vid = mdb->key.vid; ++ __entry->num_ports = mdb->num_ports; ++ __entry->offloaded = mdb->egress_handle;), ++ TP_printk("net_device=%s addr=%pM vid=%u num_ports=%d offloaded=%d", ++ __entry->dev_name, ++ __entry->addr, ++ __entry->vid, ++ __entry->num_ports, ++ __entry->offloaded)); ++ ++DEFINE_EVENT(mlx5_esw_bridge_mdb_port_change_template, ++ mlx5_esw_bridge_port_mdb_attach, ++ TP_PROTO(const struct net_device *dev, ++ const struct mlx5_esw_bridge_mdb_entry *mdb), ++ TP_ARGS(dev, mdb)); ++ ++DEFINE_EVENT(mlx5_esw_bridge_mdb_port_change_template, ++ mlx5_esw_bridge_port_mdb_detach, ++ TP_PROTO(const struct net_device *dev, ++ const struct mlx5_esw_bridge_mdb_entry *mdb), ++ TP_ARGS(dev, mdb)); ++ + #endif + + /* This part must be outside protection */ +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0074-net-mlx5-DR-Fix-uninitialized-var-warning.patch b/SPECS/kernel-hci/0074-net-mlx5-DR-Fix-uninitialized-var-warning.patch new file mode 100644 index 00000000000..765b0754def --- /dev/null +++ b/SPECS/kernel-hci/0074-net-mlx5-DR-Fix-uninitialized-var-warning.patch @@ -0,0 +1,46 @@ +From 52f7cf70eb8fac6111786c59ae9dfc5cf2bee710 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Thu, 10 Nov 2022 21:47:07 +0800 +Subject: [PATCH] net/mlx5: DR, Fix uninitialized var warning + +Smatch warns this: + +drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c:81 + mlx5dr_table_set_miss_action() error: uninitialized symbol 'ret'. + +Initializing ret with -EOPNOTSUPP and fix missing action case. + +Fixes: 7838e1725394 ("net/mlx5: DR, Expose steering table functionality") +Signed-off-by: YueHaibing +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c +index 31d443dd8386..f68461b13391 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c +@@ -46,7 +46,7 @@ static int dr_table_set_miss_action_nic(struct mlx5dr_domain *dmn, + int mlx5dr_table_set_miss_action(struct mlx5dr_table *tbl, + struct mlx5dr_action *action) + { +- int ret; ++ int ret = -EOPNOTSUPP; + + if (action && action->action_type != DR_ACTION_TYP_FT) + return -EOPNOTSUPP; +@@ -67,6 +67,9 @@ int mlx5dr_table_set_miss_action(struct mlx5dr_table *tbl, + goto out; + } + ++ if (ret) ++ goto out; ++ + /* Release old action */ + if (tbl->miss_action) + refcount_dec(&tbl->miss_action->refcount); +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0075-net-mlx5-Fix-matching-on-inner-TTC.patch b/SPECS/kernel-hci/0075-net-mlx5-Fix-matching-on-inner-TTC.patch new file mode 100644 index 00000000000..5ede5bde684 --- /dev/null +++ b/SPECS/kernel-hci/0075-net-mlx5-Fix-matching-on-inner-TTC.patch @@ -0,0 +1,48 @@ +From a042d7f5bb68c47f6e0e546ca367d14e1e4b25ba Mon Sep 17 00:00:00 2001 +From: Mark Bloch +Date: Sun, 10 Apr 2022 11:58:05 +0000 +Subject: [PATCH] net/mlx5: Fix matching on inner TTC + +The cited commits didn't use proper matching on inner TTC +as a result distribution of encapsulated packets wasn't symmetric +between the physical ports. + +Fixes: 4c71ce50d2fe ("net/mlx5: Support partial TTC rules") +Fixes: 8e25a2bc6687 ("net/mlx5: Lag, add support to create TTC tables for LAG port selection") +Signed-off-by: Mark Bloch +Reviewed-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +--- + drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c +index a6592f9c3c05..5be322528279 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c +@@ -505,7 +505,7 @@ static int mlx5_lag_create_inner_ttc_table(struct mlx5_lag *ldev) + struct ttc_params ttc_params = {}; + + mlx5_lag_set_inner_ttc_params(ldev, &ttc_params); +- port_sel->inner.ttc = mlx5_create_ttc_table(dev, &ttc_params); ++ port_sel->inner.ttc = mlx5_create_inner_ttc_table(dev, &ttc_params); + if (IS_ERR(port_sel->inner.ttc)) + return PTR_ERR(port_sel->inner.ttc); + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c +index b63dec24747a..b78f2ba25c19 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c +@@ -408,6 +408,8 @@ static int mlx5_generate_inner_ttc_table_rules(struct mlx5_core_dev *dev, + for (tt = 0; tt < MLX5_NUM_TT; tt++) { + struct mlx5_ttc_rule *rule = &rules[tt]; + ++ if (test_bit(tt, params->ignore_dests)) ++ continue; + rule->rule = mlx5_generate_inner_ttc_rule(dev, ft, + ¶ms->dests[tt], + ttc_rules[tt].etype, +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0076-net-mlx5-Lag-fix-a-potential-Oops-with-mlx5_lag_crea.patch b/SPECS/kernel-hci/0076-net-mlx5-Lag-fix-a-potential-Oops-with-mlx5_lag_crea.patch new file mode 100644 index 00000000000..00b739c1049 --- /dev/null +++ b/SPECS/kernel-hci/0076-net-mlx5-Lag-fix-a-potential-Oops-with-mlx5_lag_crea.patch @@ -0,0 +1,33 @@ +From c7ebe23cee350fb187ee00ff445b01e11de0bfe9 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 10 Nov 2021 11:07:06 +0300 +Subject: [PATCH] net/mlx5: Lag, fix a potential Oops with + mlx5_lag_create_definer() + +There is a minus character missing from ERR_PTR(ENOMEM) so if this +allocation fails it will lead to an Oops in the caller. + +Fixes: dc48516ec7d3 ("net/mlx5: Lag, add support to create definers for LAG") +Signed-off-by: Dan Carpenter +Reviewed-by: Leon Romanovsky +Signed-off-by: David S. Miller +--- + drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c +index adc836b3d857..ad63dd45c8fb 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c +@@ -289,7 +289,7 @@ mlx5_lag_create_definer(struct mlx5_lag *ldev, enum netdev_lag_hash hash, + + lag_definer = kzalloc(sizeof(*lag_definer), GFP_KERNEL); + if (!lag_definer) +- return ERR_PTR(ENOMEM); ++ return ERR_PTR(-ENOMEM); + + match_definer_mask = kvzalloc(MLX5_FLD_SZ_BYTES(match_definer, + match_mask), +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0077-net-mlx5-DR-Fix-SMFS-steering-info-dump-format.patch b/SPECS/kernel-hci/0077-net-mlx5-DR-Fix-SMFS-steering-info-dump-format.patch new file mode 100644 index 00000000000..e99bb7c1ce8 --- /dev/null +++ b/SPECS/kernel-hci/0077-net-mlx5-DR-Fix-SMFS-steering-info-dump-format.patch @@ -0,0 +1,64 @@ +From 62d2664351ef37da34f6f3a3fd8ab34257d6fe30 Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Mon, 25 Jul 2022 00:06:12 +0300 +Subject: [PATCH] net/mlx5: DR, Fix SMFS steering info dump format + +Fix several issues in SMFS steering info dump: + - Fix outdated macro value for matcher mask in the SMFS debug dump format. + The existing value denotes the old format of the matcher mask, as it was + used during the early stages of development, and it results in wrong + parsing by the steering dump parser - wrong fields are shown in the + parsed output. + - Add the missing destination table to the dumped action. + The missing dest table handle breaks the ability to associate between + the "go to table" action and the actual table in the steering info. + +Fixes: 9222f0b27da2 ("net/mlx5: DR, Add support for dumping steering info") +Signed-off-by: Yevgeny Kliteynik +Signed-off-by: Muhammad Sammar +Reviewed-by: Alex Vesker +Signed-off-by: Saeed Mahameed +--- + .../ethernet/mellanox/mlx5/core/steering/dr_dbg.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_dbg.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_dbg.c +index d5998ef59be4..7adcf0eec13b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_dbg.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_dbg.c +@@ -21,10 +21,11 @@ enum dr_dump_rec_type { + DR_DUMP_REC_TYPE_TABLE_TX = 3102, + + DR_DUMP_REC_TYPE_MATCHER = 3200, +- DR_DUMP_REC_TYPE_MATCHER_MASK = 3201, ++ DR_DUMP_REC_TYPE_MATCHER_MASK_DEPRECATED = 3201, + DR_DUMP_REC_TYPE_MATCHER_RX = 3202, + DR_DUMP_REC_TYPE_MATCHER_TX = 3203, + DR_DUMP_REC_TYPE_MATCHER_BUILDER = 3204, ++ DR_DUMP_REC_TYPE_MATCHER_MASK = 3205, + + DR_DUMP_REC_TYPE_RULE = 3300, + DR_DUMP_REC_TYPE_RULE_RX_ENTRY_V0 = 3301, +@@ -114,13 +115,15 @@ dr_dump_rule_action_mem(struct seq_file *file, const u64 rule_id, + break; + case DR_ACTION_TYP_FT: + if (action->dest_tbl->is_fw_tbl) +- seq_printf(file, "%d,0x%llx,0x%llx,0x%x\n", ++ seq_printf(file, "%d,0x%llx,0x%llx,0x%x,0x%x\n", + DR_DUMP_REC_TYPE_ACTION_FT, action_id, +- rule_id, action->dest_tbl->fw_tbl.id); ++ rule_id, action->dest_tbl->fw_tbl.id, ++ -1); + else +- seq_printf(file, "%d,0x%llx,0x%llx,0x%x\n", ++ seq_printf(file, "%d,0x%llx,0x%llx,0x%x,0x%llx\n", + DR_DUMP_REC_TYPE_ACTION_FT, action_id, +- rule_id, action->dest_tbl->tbl->table_id); ++ rule_id, action->dest_tbl->tbl->table_id, ++ DR_DBG_PTR_TO_ID(action->dest_tbl->tbl)); + + break; + case DR_ACTION_TYP_CTR: +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0078-net-mlx5-DR-Fix-matcher-disconnect-error-flow.patch b/SPECS/kernel-hci/0078-net-mlx5-DR-Fix-matcher-disconnect-error-flow.patch new file mode 100644 index 00000000000..cb22d45359b --- /dev/null +++ b/SPECS/kernel-hci/0078-net-mlx5-DR-Fix-matcher-disconnect-error-flow.patch @@ -0,0 +1,41 @@ +From 4ea9891d66410da5030dababb4b825d8e41cd7bb Mon Sep 17 00:00:00 2001 +From: Rongwei Liu +Date: Wed, 26 Oct 2022 14:51:41 +0100 +Subject: [PATCH] net/mlx5: DR, Fix matcher disconnect error flow + +When 2nd flow rules arrives, it will merge together with the +1st one if matcher criteria is the same. + +If merge fails, driver will rollback the merge contents, and +reject the 2nd rule. At rollback stage, matcher can't be +disconnected unconditionally, otherise the 1st rule can't be +hit anymore. + +Add logic to check if the matcher should be disconnected or not. + +Fixes: cc2295cd54e4 ("net/mlx5: DR, Improve steering for empty or RX/TX-only matchers") +Signed-off-by: Rongwei Liu +Signed-off-by: Saeed Mahameed +Link: https://lore.kernel.org/r/20221026135153.154807-4-saeed@kernel.org +Signed-off-by: Jakub Kicinski +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c +index ddfaf7891188..91ff19f67695 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c +@@ -1200,7 +1200,8 @@ dr_rule_create_rule_nic(struct mlx5dr_rule *rule, + } + + remove_from_nic_tbl: +- mlx5dr_matcher_remove_from_tbl_nic(dmn, nic_matcher); ++ if (!nic_matcher->rules) ++ mlx5dr_matcher_remove_from_tbl_nic(dmn, nic_matcher); + + free_hw_ste: + mlx5dr_domain_nic_unlock(nic_dmn); +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0079-net-mlx5-DR-Ignore-modify-TTL-on-RX-if-device-doesn-.patch b/SPECS/kernel-hci/0079-net-mlx5-DR-Ignore-modify-TTL-on-RX-if-device-doesn-.patch new file mode 100644 index 00000000000..f45b7c22dbe --- /dev/null +++ b/SPECS/kernel-hci/0079-net-mlx5-DR-Ignore-modify-TTL-on-RX-if-device-doesn-.patch @@ -0,0 +1,172 @@ +From 785d7ed295513bd3374095304b7034fd65c123b0 Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Sun, 3 Apr 2022 23:18:10 +0300 +Subject: [PATCH] net/mlx5: DR, Ignore modify TTL on RX if device doesn't + support it + +When modifying TTL, packet's csum has to be recalculated. +Due to HW issue in ConnectX-5, csum recalculation for modify +TTL on RX is supported through a work-around that is specifically +enabled by configuration. +If the work-around isn't enabled, rather than adding an unsupported +action the modify TTL action on RX should be ignored. +Ignoring modify TTL action might result in zero actions, so in such +cases we will not convert the match STE to modify STE, as it is done +by FW in DMFS. + +This patch fixes an issue where modify TTL action was ignored both +on RX and TX instead of only on RX. + +Fixes: 4ff725e1d4ad ("net/mlx5: DR, Ignore modify TTL if device doesn't support it") +Signed-off-by: Yevgeny Kliteynik +Reviewed-by: Alex Vesker +Signed-off-by: Saeed Mahameed +--- + .../mellanox/mlx5/core/steering/dr_action.c | 65 +++++++++++++------ + .../mellanox/mlx5/core/steering/dr_ste_v0.c | 4 +- + 2 files changed, 48 insertions(+), 21 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +index b52b539c8d2c..1383550f44c1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +@@ -530,6 +530,37 @@ static int dr_action_handle_cs_recalc(struct mlx5dr_domain *dmn, + return 0; + } + ++static void dr_action_modify_ttl_adjust(struct mlx5dr_domain *dmn, ++ struct mlx5dr_ste_actions_attr *attr, ++ bool rx_rule, ++ bool *recalc_cs_required) ++{ ++ *recalc_cs_required = false; ++ ++ /* if device supports csum recalculation - no adjustment needed */ ++ if (mlx5dr_ste_supp_ttl_cs_recalc(&dmn->info.caps)) ++ return; ++ ++ /* no adjustment needed on TX rules */ ++ if (!rx_rule) ++ return; ++ ++ if (!MLX5_CAP_ESW_FLOWTABLE(dmn->mdev, fdb_ipv4_ttl_modify)) { ++ /* Ignore the modify TTL action. ++ * It is always kept as last HW action. ++ */ ++ attr->modify_actions--; ++ return; ++ } ++ ++ if (dmn->type == MLX5DR_DOMAIN_TYPE_FDB) ++ /* Due to a HW bug on some devices, modifying TTL on RX flows ++ * will cause an incorrect checksum calculation. In such cases ++ * we will use a FW table to recalculate the checksum. ++ */ ++ *recalc_cs_required = true; ++} ++ + static void dr_action_print_sequence(struct mlx5dr_domain *dmn, + struct mlx5dr_action *actions[], + int last_idx) +@@ -650,8 +681,9 @@ int mlx5dr_actions_build_ste_arr(struct mlx5dr_matcher *matcher, + case DR_ACTION_TYP_MODIFY_HDR: + attr.modify_index = action->rewrite->index; + attr.modify_actions = action->rewrite->num_of_actions; +- recalc_cs_required = action->rewrite->modify_ttl && +- !mlx5dr_ste_supp_ttl_cs_recalc(&dmn->info.caps); ++ if (action->rewrite->modify_ttl) ++ dr_action_modify_ttl_adjust(dmn, &attr, rx_rule, ++ &recalc_cs_required); + break; + case DR_ACTION_TYP_L2_TO_TNL_L2: + case DR_ACTION_TYP_L2_TO_TNL_L3: +@@ -732,12 +764,7 @@ int mlx5dr_actions_build_ste_arr(struct mlx5dr_matcher *matcher, + *new_hw_ste_arr_sz = nic_matcher->num_of_builders; + last_ste = ste_arr + DR_STE_SIZE * (nic_matcher->num_of_builders - 1); + +- /* Due to a HW bug in some devices, modifying TTL on RX flows will +- * cause an incorrect checksum calculation. In this case we will +- * use a FW table to recalculate. +- */ +- if (dmn->type == MLX5DR_DOMAIN_TYPE_FDB && +- rx_rule && recalc_cs_required && dest_action) { ++ if (recalc_cs_required && dest_action) { + ret = dr_action_handle_cs_recalc(dmn, dest_action, &attr.final_icm_addr); + if (ret) { + mlx5dr_err(dmn, +@@ -1558,12 +1585,6 @@ dr_action_modify_check_is_ttl_modify(const void *sw_action) + return sw_field == MLX5_ACTION_IN_FIELD_OUT_IP_TTL; + } + +-static bool dr_action_modify_ttl_ignore(struct mlx5dr_domain *dmn) +-{ +- return !mlx5dr_ste_supp_ttl_cs_recalc(&dmn->info.caps) && +- !MLX5_CAP_ESW_FLOWTABLE(dmn->mdev, fdb_ipv4_ttl_modify); +-} +- + static int dr_actions_convert_modify_header(struct mlx5dr_action *action, + u32 max_hw_actions, + u32 num_sw_actions, +@@ -1575,6 +1596,7 @@ static int dr_actions_convert_modify_header(struct mlx5dr_action *action, + const struct mlx5dr_ste_action_modify_field *hw_dst_action_info; + const struct mlx5dr_ste_action_modify_field *hw_src_action_info; + struct mlx5dr_domain *dmn = action->rewrite->dmn; ++ __be64 *modify_ttl_sw_action = NULL; + int ret, i, hw_idx = 0; + __be64 *sw_action; + __be64 hw_action; +@@ -1587,8 +1609,14 @@ static int dr_actions_convert_modify_header(struct mlx5dr_action *action, + action->rewrite->allow_rx = 1; + action->rewrite->allow_tx = 1; + +- for (i = 0; i < num_sw_actions; i++) { +- sw_action = &sw_actions[i]; ++ for (i = 0; i < num_sw_actions || modify_ttl_sw_action; i++) { ++ /* modify TTL is handled separately, as a last action */ ++ if (i == num_sw_actions) { ++ sw_action = modify_ttl_sw_action; ++ modify_ttl_sw_action = NULL; ++ } else { ++ sw_action = &sw_actions[i]; ++ } + + ret = dr_action_modify_check_field_limitation(action, + sw_action); +@@ -1597,10 +1625,9 @@ static int dr_actions_convert_modify_header(struct mlx5dr_action *action, + + if (!(*modify_ttl) && + dr_action_modify_check_is_ttl_modify(sw_action)) { +- if (dr_action_modify_ttl_ignore(dmn)) +- continue; +- ++ modify_ttl_sw_action = sw_action; + *modify_ttl = true; ++ continue; + } + + /* Convert SW action to HW action */ +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c +index 5a322335f204..2010d4ac6519 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c +@@ -420,7 +420,7 @@ dr_ste_v0_set_actions_tx(struct mlx5dr_domain *dmn, + * encapsulation. The reason for that is that we support + * modify headers for outer headers only + */ +- if (action_type_set[DR_ACTION_TYP_MODIFY_HDR]) { ++ if (action_type_set[DR_ACTION_TYP_MODIFY_HDR] && attr->modify_actions) { + dr_ste_v0_set_entry_type(last_ste, DR_STE_TYPE_MODIFY_PKT); + dr_ste_v0_set_rewrite_actions(last_ste, + attr->modify_actions, +@@ -513,7 +513,7 @@ dr_ste_v0_set_actions_rx(struct mlx5dr_domain *dmn, + } + } + +- if (action_type_set[DR_ACTION_TYP_MODIFY_HDR]) { ++ if (action_type_set[DR_ACTION_TYP_MODIFY_HDR] && attr->modify_actions) { + if (dr_ste_v0_get_entry_type(last_ste) == DR_STE_TYPE_MODIFY_PKT) + dr_ste_v0_arr_init_next(&last_ste, + added_stes, +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0080-net-mlx5-DR-Handle-eswitch-manager-and-uplink-vports.patch b/SPECS/kernel-hci/0080-net-mlx5-DR-Handle-eswitch-manager-and-uplink-vports.patch new file mode 100644 index 00000000000..2d986f5c736 --- /dev/null +++ b/SPECS/kernel-hci/0080-net-mlx5-DR-Handle-eswitch-manager-and-uplink-vports.patch @@ -0,0 +1,165 @@ +From 9091b821aaa4c2d107ca8f97c32baefcb1e7e40d Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Wed, 3 Nov 2021 01:09:04 +0200 +Subject: [PATCH] net/mlx5: DR, Handle eswitch manager and uplink vports + separately + +When querying eswitch manager vport capabilities as "other = 1", +we encounter a FW compatibility issue with older FW versions. +To maintain backward compatibility, eswitch manager vport should +be queried as "other = 0" vport both for ECPF and non-ECPF cases. + +This patch fixes these queries and improves the code readability +by handling eswitch manager and uplink vports separately, avoiding +the excessive 'if' conditions. Also, uplink caps are stored similar +to esw manager and not as part of xarray. + +Fixes: dd4acb2a0954 ("net/mlx5: DR, Add missing query for vport 0") +Signed-off-by: Yevgeny Kliteynik +Signed-off-by: Saeed Mahameed +--- + .../mellanox/mlx5/core/steering/dr_domain.c | 56 ++++++++----------- + .../mellanox/mlx5/core/steering/dr_types.h | 1 + + 2 files changed, 24 insertions(+), 33 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +index 49089cbe897c..8cbd36c82b3b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +@@ -135,25 +135,14 @@ static void dr_domain_fill_uplink_caps(struct mlx5dr_domain *dmn, + + static int dr_domain_query_vport(struct mlx5dr_domain *dmn, + u16 vport_number, ++ bool other_vport, + struct mlx5dr_cmd_vport_cap *vport_caps) + { +- u16 cmd_vport = vport_number; +- bool other_vport = true; + int ret; + +- if (vport_number == MLX5_VPORT_UPLINK) { +- dr_domain_fill_uplink_caps(dmn, vport_caps); +- return 0; +- } +- +- if (dmn->info.caps.is_ecpf && vport_number == MLX5_VPORT_ECPF) { +- other_vport = false; +- cmd_vport = 0; +- } +- + ret = mlx5dr_cmd_query_esw_vport_context(dmn->mdev, + other_vport, +- cmd_vport, ++ vport_number, + &vport_caps->icm_address_rx, + &vport_caps->icm_address_tx); + if (ret) +@@ -161,7 +150,7 @@ static int dr_domain_query_vport(struct mlx5dr_domain *dmn, + + ret = mlx5dr_cmd_query_gvmi(dmn->mdev, + other_vport, +- cmd_vport, ++ vport_number, + &vport_caps->vport_gvmi); + if (ret) + return ret; +@@ -176,9 +165,15 @@ static int dr_domain_query_esw_mngr(struct mlx5dr_domain *dmn) + { + return dr_domain_query_vport(dmn, + dmn->info.caps.is_ecpf ? MLX5_VPORT_ECPF : 0, ++ false, + &dmn->info.caps.vports.esw_manager_caps); + } + ++static void dr_domain_query_uplink(struct mlx5dr_domain *dmn) ++{ ++ dr_domain_fill_uplink_caps(dmn, &dmn->info.caps.vports.uplink_caps); ++} ++ + static struct mlx5dr_cmd_vport_cap * + dr_domain_add_vport_cap(struct mlx5dr_domain *dmn, u16 vport) + { +@@ -190,7 +185,7 @@ dr_domain_add_vport_cap(struct mlx5dr_domain *dmn, u16 vport) + if (!vport_caps) + return NULL; + +- ret = dr_domain_query_vport(dmn, vport, vport_caps); ++ ret = dr_domain_query_vport(dmn, vport, true, vport_caps); + if (ret) { + kvfree(vport_caps); + return NULL; +@@ -207,16 +202,26 @@ dr_domain_add_vport_cap(struct mlx5dr_domain *dmn, u16 vport) + return vport_caps; + } + ++static bool dr_domain_is_esw_mgr_vport(struct mlx5dr_domain *dmn, u16 vport) ++{ ++ struct mlx5dr_cmd_caps *caps = &dmn->info.caps; ++ ++ return (caps->is_ecpf && vport == MLX5_VPORT_ECPF) || ++ (!caps->is_ecpf && vport == 0); ++} ++ + struct mlx5dr_cmd_vport_cap * + mlx5dr_domain_get_vport_cap(struct mlx5dr_domain *dmn, u16 vport) + { + struct mlx5dr_cmd_caps *caps = &dmn->info.caps; + struct mlx5dr_cmd_vport_cap *vport_caps; + +- if ((caps->is_ecpf && vport == MLX5_VPORT_ECPF) || +- (!caps->is_ecpf && vport == 0)) ++ if (dr_domain_is_esw_mgr_vport(dmn, vport)) + return &caps->vports.esw_manager_caps; + ++ if (vport == MLX5_VPORT_UPLINK) ++ return &caps->vports.uplink_caps; ++ + vport_load: + vport_caps = xa_load(&caps->vports.vports_caps_xa, vport); + if (vport_caps) +@@ -241,17 +246,6 @@ static void dr_domain_clear_vports(struct mlx5dr_domain *dmn) + } + } + +-static int dr_domain_query_uplink(struct mlx5dr_domain *dmn) +-{ +- struct mlx5dr_cmd_vport_cap *vport_caps; +- +- vport_caps = mlx5dr_domain_get_vport_cap(dmn, MLX5_VPORT_UPLINK); +- if (!vport_caps) +- return -EINVAL; +- +- return 0; +-} +- + static int dr_domain_query_fdb_caps(struct mlx5_core_dev *mdev, + struct mlx5dr_domain *dmn) + { +@@ -281,11 +275,7 @@ static int dr_domain_query_fdb_caps(struct mlx5_core_dev *mdev, + goto free_vports_caps_xa; + } + +- ret = dr_domain_query_uplink(dmn); +- if (ret) { +- mlx5dr_err(dmn, "Failed to query uplink vport caps (err: %d)", ret); +- goto free_vports_caps_xa; +- } ++ dr_domain_query_uplink(dmn); + + return 0; + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +index 3028b776da00..2333c2439c28 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +@@ -764,6 +764,7 @@ struct mlx5dr_roce_cap { + + struct mlx5dr_vports { + struct mlx5dr_cmd_vport_cap esw_manager_caps; ++ struct mlx5dr_cmd_vport_cap uplink_caps; + struct xarray vports_caps_xa; + }; + +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0081-net-mlx5-DR-Fix-slab-out-of-bounds-in-mlx5_cmd_dr_cr.patch b/SPECS/kernel-hci/0081-net-mlx5-DR-Fix-slab-out-of-bounds-in-mlx5_cmd_dr_cr.patch new file mode 100644 index 00000000000..45a39e73a5a --- /dev/null +++ b/SPECS/kernel-hci/0081-net-mlx5-DR-Fix-slab-out-of-bounds-in-mlx5_cmd_dr_cr.patch @@ -0,0 +1,96 @@ +From 0aec12d97b2036af0946e3d582144739860ac07b Mon Sep 17 00:00:00 2001 +From: Yevgeny Kliteynik +Date: Tue, 11 Jan 2022 03:00:03 +0200 +Subject: [PATCH] net/mlx5: DR, Fix slab-out-of-bounds in + mlx5_cmd_dr_create_fte + +When adding a rule with 32 destinations, we hit the following out-of-band +access issue: + + BUG: KASAN: slab-out-of-bounds in mlx5_cmd_dr_create_fte+0x18ee/0x1e70 + +This patch fixes the issue by both increasing the allocated buffers to +accommodate for the needed actions and by checking the number of actions +to prevent this issue when a rule with too many actions is provided. + +Fixes: 1ffd498901c1 ("net/mlx5: DR, Increase supported num of actions to 32") +Signed-off-by: Yevgeny Kliteynik +Reviewed-by: Alex Vesker +Signed-off-by: Saeed Mahameed +--- + .../mellanox/mlx5/core/steering/fs_dr.c | 33 +++++++++++++++---- + 1 file changed, 26 insertions(+), 7 deletions(-) + +Index: CBL-Mariner-Linux-Kernel/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c +=================================================================== +--- CBL-Mariner-Linux-Kernel.orig/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c ++++ CBL-Mariner-Linux-Kernel/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c +@@ -232,7 +232,11 @@ static bool contain_vport_reformat_actio + dst->dest_attr.vport.flags & MLX5_FLOW_DEST_VPORT_REFORMAT_ID; + } + +-#define MLX5_FLOW_CONTEXT_ACTION_MAX 32 ++/* We want to support a rule with 32 destinations, which means we need to ++ * account for 32 destinations plus usually a counter plus one more action ++ * for a multi-destination flow table. ++ */ ++#define MLX5_FLOW_CONTEXT_ACTION_MAX 34 + static int mlx5_cmd_dr_create_fte(struct mlx5_flow_root_namespace *ns, + struct mlx5_flow_table *ft, + struct mlx5_flow_group *group, +@@ -402,9 +406,9 @@ static int mlx5_cmd_dr_create_fte(struct + enum mlx5_flow_destination_type type = dst->dest_attr.type; + u32 id; + +- if (num_actions == MLX5_FLOW_CONTEXT_ACTION_MAX || +- num_term_actions >= MLX5_FLOW_CONTEXT_ACTION_MAX) { +- err = -ENOSPC; ++ if (fs_dr_num_actions == MLX5_FLOW_CONTEXT_ACTION_MAX || ++ num_term_actions == MLX5_FLOW_CONTEXT_ACTION_MAX) { ++ err = -EOPNOTSUPP; + goto free_actions; + } + +@@ -477,8 +481,9 @@ static int mlx5_cmd_dr_create_fte(struct + MLX5_FLOW_DESTINATION_TYPE_COUNTER) + continue; + +- if (num_actions == MLX5_FLOW_CONTEXT_ACTION_MAX) { +- err = -ENOSPC; ++ if (num_actions == MLX5_FLOW_CONTEXT_ACTION_MAX || ++ fs_dr_num_actions == MLX5_FLOW_CONTEXT_ACTION_MAX) { ++ err = -EOPNOTSUPP; + goto free_actions; + } + +@@ -498,15 +503,29 @@ static int mlx5_cmd_dr_create_fte(struct + params.match_sz = match_sz; + params.match_buf = (u64 *)fte->val; + if (num_term_actions == 1) { +- if (term_actions->reformat) ++ if (term_actions->reformat) { ++ if (num_actions == MLX5_FLOW_CONTEXT_ACTION_MAX) { ++ err = -EOPNOTSUPP; ++ goto free_actions; ++ } + actions[num_actions++] = term_actions->reformat; ++ } + ++ if (num_actions == MLX5_FLOW_CONTEXT_ACTION_MAX) { ++ err = -EOPNOTSUPP; ++ goto free_actions; ++ } + actions[num_actions++] = term_actions->dest; + } else if (num_term_actions > 1) { + bool ignore_flow_level = + !!(fte->action.flags & FLOW_ACT_IGNORE_FLOW_LEVEL); + u32 flow_source = fte->flow_context.flow_source; + ++ if (num_actions == MLX5_FLOW_CONTEXT_ACTION_MAX || ++ fs_dr_num_actions == MLX5_FLOW_CONTEXT_ACTION_MAX) { ++ err = -EOPNOTSUPP; ++ goto free_actions; ++ } + tmp_action = mlx5dr_action_create_mult_dest_tbl(domain, + term_actions, + num_term_actions, diff --git a/SPECS/kernel-hci/0082-net-mlx5-Create-eswitch-debugfs-root-directory.patch b/SPECS/kernel-hci/0082-net-mlx5-Create-eswitch-debugfs-root-directory.patch new file mode 100644 index 00000000000..5e9fe742fe0 --- /dev/null +++ b/SPECS/kernel-hci/0082-net-mlx5-Create-eswitch-debugfs-root-directory.patch @@ -0,0 +1,82 @@ +From f405787a0abaf14e332aa6d1d924e75970332e68 Mon Sep 17 00:00:00 2001 +From: Vlad Buslov +Date: Thu, 1 Jun 2023 09:34:35 +0200 +Subject: [PATCH 82/84] net/mlx5: Create eswitch debugfs root directory + +Following patch in series uses the new directory for bridge FDB debugfs. +The new directory is intended for all future eswitch-specific debugfs +files. + +Conflicts: + - drivers/net/ethernet/mellanox/mlx5/core/eswitch.h + Context diff due to missing: + fbd43b7259bc ("net/mlx5: E-switch, Introduce flag to indicate if fdb table is created") + + - drivers/net/ethernet/mellanox/mlx5/core/eswitch.c + Context diff due to missing: + 3f90840305e2 ("net/mlx5: Move esw multiport devlink param to eswitch code") + Also commit 66771a1c729e ("net/mlx5: Move debugfs entries to separate struct") + is missing. Pass dev->priv.dbg_root instead of mlx5_debugfs_get_dev_root() + to function mlx5_eswitch_init() + +Signed-off-by: Vlad Buslov +Reviewed-by: Gal Pressman +Signed-off-by: Saeed Mahameed +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 4 ++++ + drivers/net/ethernet/mellanox/mlx5/core/eswitch.h | 3 +++ + 2 files changed, 7 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -31,6 +31,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -1560,6 +1561,7 @@ int mlx5_eswitch_init(struct mlx5_core_d + esw->manager_vport = mlx5_eswitch_manager_vport(dev); + esw->first_host_vport = mlx5_eswitch_first_host_vport_num(dev); + ++ esw->debugfs_root = debugfs_create_dir("esw", dev->priv.dbg_root); + esw->work_queue = create_singlethread_workqueue("mlx5_esw_wq"); + if (!esw->work_queue) { + err = -ENOMEM; +@@ -1611,6 +1613,7 @@ reps_err: + abort: + if (esw->work_queue) + destroy_workqueue(esw->work_queue); ++ debugfs_remove_recursive(esw->debugfs_root); + kfree(esw); + return err; + } +@@ -1634,6 +1637,7 @@ void mlx5_eswitch_cleanup(struct mlx5_es + mutex_destroy(&esw->offloads.decap_tbl_lock); + esw_offloads_cleanup_reps(esw); + mlx5_esw_vports_cleanup(esw); ++ debugfs_remove_recursive(esw->debugfs_root); + kfree(esw); + } + +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +@@ -283,6 +283,8 @@ enum { + + struct mlx5_esw_bridge_offloads; + ++struct dentry; ++ + struct mlx5_eswitch { + struct mlx5_core_dev *dev; + struct mlx5_nb nb; +@@ -291,6 +293,7 @@ struct mlx5_eswitch { + struct hlist_head mc_table[MLX5_L2_ADDR_HASH_SIZE]; + struct esw_mc_addr mc_promisc; + /* end of legacy */ ++ struct dentry *debugfs_root; + struct workqueue_struct *work_queue; + struct xarray vports; + u32 flags; diff --git a/SPECS/kernel-hci/0083-net-mlx5-Bridge-pass-net-device-when-linking-vport-t.patch b/SPECS/kernel-hci/0083-net-mlx5-Bridge-pass-net-device-when-linking-vport-t.patch new file mode 100644 index 00000000000..cff3a2787c5 --- /dev/null +++ b/SPECS/kernel-hci/0083-net-mlx5-Bridge-pass-net-device-when-linking-vport-t.patch @@ -0,0 +1,207 @@ +From ade19f0d6a3a395e7936227811acbf897ee186fc Mon Sep 17 00:00:00 2001 +From: Vlad Buslov +Date: Fri, 26 May 2023 08:55:15 +0200 +Subject: [PATCH 83/84] net/mlx5: Bridge, pass net device when linking vport to + bridge + +Following patch requires access to additional data in bridge net_device. +Pass the whole structure down the stack instead of adding necessary fields +as function arguments one-by-one. + +Signed-off-by: Vlad Buslov +Reviewed-by: Gal Pressman +Signed-off-by: Saeed Mahameed +--- + .../mellanox/mlx5/core/en/rep/bridge.c | 9 +++-- + .../ethernet/mellanox/mlx5/core/esw/bridge.c | 35 ++++++++++--------- + .../ethernet/mellanox/mlx5/core/esw/bridge.h | 10 +++--- + 3 files changed, 29 insertions(+), 25 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c +index fd191925ab4b..560800246573 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c +@@ -136,7 +136,6 @@ static int mlx5_esw_bridge_port_changeupper(struct notifier_block *nb, void *ptr + struct mlx5_eswitch *esw = br_offloads->esw; + u16 vport_num, esw_owner_vhca_id; + struct netlink_ext_ack *extack; +- int ifindex = upper->ifindex; + int err = 0; + + if (!netif_is_bridge_master(upper)) +@@ -150,15 +149,15 @@ static int mlx5_esw_bridge_port_changeupper(struct notifier_block *nb, void *ptr + + if (mlx5_esw_bridge_is_local(dev, rep, esw)) + err = info->linking ? +- mlx5_esw_bridge_vport_link(ifindex, vport_num, esw_owner_vhca_id, ++ mlx5_esw_bridge_vport_link(upper, vport_num, esw_owner_vhca_id, + br_offloads, extack) : +- mlx5_esw_bridge_vport_unlink(ifindex, vport_num, esw_owner_vhca_id, ++ mlx5_esw_bridge_vport_unlink(upper, vport_num, esw_owner_vhca_id, + br_offloads, extack); + else if (mlx5_esw_bridge_dev_same_hw(rep, esw)) + err = info->linking ? +- mlx5_esw_bridge_vport_peer_link(ifindex, vport_num, esw_owner_vhca_id, ++ mlx5_esw_bridge_vport_peer_link(upper, vport_num, esw_owner_vhca_id, + br_offloads, extack) : +- mlx5_esw_bridge_vport_peer_unlink(ifindex, vport_num, esw_owner_vhca_id, ++ mlx5_esw_bridge_vport_peer_unlink(upper, vport_num, esw_owner_vhca_id, + br_offloads, extack); + + return err; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +index bea7cc645461..eaa9b328abd5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +@@ -834,7 +834,7 @@ mlx5_esw_bridge_egress_miss_flow_create(struct mlx5_flow_table *egress_ft, + return handle; + } + +-static struct mlx5_esw_bridge *mlx5_esw_bridge_create(int ifindex, ++static struct mlx5_esw_bridge *mlx5_esw_bridge_create(struct net_device *br_netdev, + struct mlx5_esw_bridge_offloads *br_offloads) + { + struct mlx5_esw_bridge *bridge; +@@ -858,7 +858,7 @@ static struct mlx5_esw_bridge *mlx5_esw_bridge_create(int ifindex, + goto err_mdb_ht; + + INIT_LIST_HEAD(&bridge->fdb_list); +- bridge->ifindex = ifindex; ++ bridge->ifindex = br_netdev->ifindex; + bridge->refcnt = 1; + bridge->ageing_time = clock_t_to_jiffies(BR_DEFAULT_AGEING_TIME); + bridge->vlan_proto = ETH_P_8021Q; +@@ -898,14 +898,14 @@ static void mlx5_esw_bridge_put(struct mlx5_esw_bridge_offloads *br_offloads, + } + + static struct mlx5_esw_bridge * +-mlx5_esw_bridge_lookup(int ifindex, struct mlx5_esw_bridge_offloads *br_offloads) ++mlx5_esw_bridge_lookup(struct net_device *br_netdev, struct mlx5_esw_bridge_offloads *br_offloads) + { + struct mlx5_esw_bridge *bridge; + + ASSERT_RTNL(); + + list_for_each_entry(bridge, &br_offloads->bridges, list) { +- if (bridge->ifindex == ifindex) { ++ if (bridge->ifindex == br_netdev->ifindex) { + mlx5_esw_bridge_get(bridge); + return bridge; + } +@@ -918,7 +918,7 @@ mlx5_esw_bridge_lookup(int ifindex, struct mlx5_esw_bridge_offloads *br_offloads + return ERR_PTR(err); + } + +- bridge = mlx5_esw_bridge_create(ifindex, br_offloads); ++ bridge = mlx5_esw_bridge_create(br_netdev, br_offloads); + if (IS_ERR(bridge) && list_empty(&br_offloads->bridges)) + mlx5_esw_bridge_ingress_table_cleanup(br_offloads); + return bridge; +@@ -1601,15 +1601,15 @@ static int mlx5_esw_bridge_vport_cleanup(struct mlx5_esw_bridge_offloads *br_off + return 0; + } + +-static int mlx5_esw_bridge_vport_link_with_flags(int ifindex, u16 vport_num, u16 esw_owner_vhca_id, +- u16 flags, ++static int mlx5_esw_bridge_vport_link_with_flags(struct net_device *br_netdev, u16 vport_num, ++ u16 esw_owner_vhca_id, u16 flags, + struct mlx5_esw_bridge_offloads *br_offloads, + struct netlink_ext_ack *extack) + { + struct mlx5_esw_bridge *bridge; + int err; + +- bridge = mlx5_esw_bridge_lookup(ifindex, br_offloads); ++ bridge = mlx5_esw_bridge_lookup(br_netdev, br_offloads); + if (IS_ERR(bridge)) { + NL_SET_ERR_MSG_MOD(extack, "Error checking for existing bridge with same ifindex"); + return PTR_ERR(bridge); +@@ -1627,15 +1627,16 @@ static int mlx5_esw_bridge_vport_link_with_flags(int ifindex, u16 vport_num, u16 + return err; + } + +-int mlx5_esw_bridge_vport_link(int ifindex, u16 vport_num, u16 esw_owner_vhca_id, ++int mlx5_esw_bridge_vport_link(struct net_device *br_netdev, u16 vport_num, u16 esw_owner_vhca_id, + struct mlx5_esw_bridge_offloads *br_offloads, + struct netlink_ext_ack *extack) + { +- return mlx5_esw_bridge_vport_link_with_flags(ifindex, vport_num, esw_owner_vhca_id, 0, ++ return mlx5_esw_bridge_vport_link_with_flags(br_netdev, vport_num, esw_owner_vhca_id, 0, + br_offloads, extack); + } + +-int mlx5_esw_bridge_vport_unlink(int ifindex, u16 vport_num, u16 esw_owner_vhca_id, ++int mlx5_esw_bridge_vport_unlink(struct net_device *br_netdev, u16 vport_num, ++ u16 esw_owner_vhca_id, + struct mlx5_esw_bridge_offloads *br_offloads, + struct netlink_ext_ack *extack) + { +@@ -1647,7 +1648,7 @@ int mlx5_esw_bridge_vport_unlink(int ifindex, u16 vport_num, u16 esw_owner_vhca_ + NL_SET_ERR_MSG_MOD(extack, "Port is not attached to any bridge"); + return -EINVAL; + } +- if (port->bridge->ifindex != ifindex) { ++ if (port->bridge->ifindex != br_netdev->ifindex) { + NL_SET_ERR_MSG_MOD(extack, "Port is attached to another bridge"); + return -EINVAL; + } +@@ -1658,23 +1659,25 @@ int mlx5_esw_bridge_vport_unlink(int ifindex, u16 vport_num, u16 esw_owner_vhca_ + return err; + } + +-int mlx5_esw_bridge_vport_peer_link(int ifindex, u16 vport_num, u16 esw_owner_vhca_id, ++int mlx5_esw_bridge_vport_peer_link(struct net_device *br_netdev, u16 vport_num, ++ u16 esw_owner_vhca_id, + struct mlx5_esw_bridge_offloads *br_offloads, + struct netlink_ext_ack *extack) + { + if (!MLX5_CAP_ESW(br_offloads->esw->dev, merged_eswitch)) + return 0; + +- return mlx5_esw_bridge_vport_link_with_flags(ifindex, vport_num, esw_owner_vhca_id, ++ return mlx5_esw_bridge_vport_link_with_flags(br_netdev, vport_num, esw_owner_vhca_id, + MLX5_ESW_BRIDGE_PORT_FLAG_PEER, + br_offloads, extack); + } + +-int mlx5_esw_bridge_vport_peer_unlink(int ifindex, u16 vport_num, u16 esw_owner_vhca_id, ++int mlx5_esw_bridge_vport_peer_unlink(struct net_device *br_netdev, u16 vport_num, ++ u16 esw_owner_vhca_id, + struct mlx5_esw_bridge_offloads *br_offloads, + struct netlink_ext_ack *extack) + { +- return mlx5_esw_bridge_vport_unlink(ifindex, vport_num, esw_owner_vhca_id, br_offloads, ++ return mlx5_esw_bridge_vport_unlink(br_netdev, vport_num, esw_owner_vhca_id, br_offloads, + extack); + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.h b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.h +index a9dd18c73d6a..2f7ad3bdba5e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.h +@@ -43,16 +43,18 @@ struct mlx5_esw_bridge_offloads { + + struct mlx5_esw_bridge_offloads *mlx5_esw_bridge_init(struct mlx5_eswitch *esw); + void mlx5_esw_bridge_cleanup(struct mlx5_eswitch *esw); +-int mlx5_esw_bridge_vport_link(int ifindex, u16 vport_num, u16 esw_owner_vhca_id, ++int mlx5_esw_bridge_vport_link(struct net_device *br_netdev, u16 vport_num, u16 esw_owner_vhca_id, + struct mlx5_esw_bridge_offloads *br_offloads, + struct netlink_ext_ack *extack); +-int mlx5_esw_bridge_vport_unlink(int ifindex, u16 vport_num, u16 esw_owner_vhca_id, ++int mlx5_esw_bridge_vport_unlink(struct net_device *br_netdev, u16 vport_num, u16 esw_owner_vhca_id, + struct mlx5_esw_bridge_offloads *br_offloads, + struct netlink_ext_ack *extack); +-int mlx5_esw_bridge_vport_peer_link(int ifindex, u16 vport_num, u16 esw_owner_vhca_id, ++int mlx5_esw_bridge_vport_peer_link(struct net_device *br_netdev, u16 vport_num, ++ u16 esw_owner_vhca_id, + struct mlx5_esw_bridge_offloads *br_offloads, + struct netlink_ext_ack *extack); +-int mlx5_esw_bridge_vport_peer_unlink(int ifindex, u16 vport_num, u16 esw_owner_vhca_id, ++int mlx5_esw_bridge_vport_peer_unlink(struct net_device *br_netdev, u16 vport_num, ++ u16 esw_owner_vhca_id, + struct mlx5_esw_bridge_offloads *br_offloads, + struct netlink_ext_ack *extack); + void mlx5_esw_bridge_fdb_update_used(struct net_device *dev, u16 vport_num, u16 esw_owner_vhca_id, +-- +2.31.1 + diff --git a/SPECS/kernel-hci/0084-net-mlx5-Bridge-expose-FDB-state-via-debugfs.patch b/SPECS/kernel-hci/0084-net-mlx5-Bridge-expose-FDB-state-via-debugfs.patch new file mode 100644 index 00000000000..97a6658b18e --- /dev/null +++ b/SPECS/kernel-hci/0084-net-mlx5-Bridge-expose-FDB-state-via-debugfs.patch @@ -0,0 +1,243 @@ +From 791eb78285e8b81bc09bfc6bd928b981eaefb082 Mon Sep 17 00:00:00 2001 +From: Vlad Buslov +Date: Thu, 25 May 2023 15:19:00 +0200 +Subject: [PATCH 84/84] net/mlx5: Bridge, expose FDB state via debugfs + +For debugging purposes expose offloaded FDB state (flags, counters, etc.) +via debugfs inside 'esw' root directory. Example debugfs file output: + +$ cat mlx5/0000\:08\:00.0/esw/bridge/bridge1/fdb +DEV MAC VLAN PACKETS BYTES LASTUSE FLAGS +enp8s0f0_1 e4:0a:05:08:00:06 2 2 204 4295567112 0x0 +enp8s0f0_0 e4:0a:05:08:00:03 2 3 278 4295567112 0x0 + +Conflicts: + - drivers/net/ethernet/mellanox/mlx5/core/Makefile + Context diff due to missing + c1fef618d611 ("net/mlx5: Implement thermal zone") + + - drivers/net/ethernet/mellanox/mlx5/core/fs_counters.c + - include/linux/mlx5/fs.h + commit 2b68d659a704 ("net/mlx5e: TC, support per action stats") + is missing. Thus, function mlx5_fc_query_cached_raw() is missing + and a build error occurs. Add needed function to the patch. + +Signed-off-by: Vlad Buslov +Reviewed-by: Tariq Toukan +Reviewed-by: Gal Pressman +Signed-off-by: Saeed Mahameed +--- + .../net/ethernet/mellanox/mlx5/core/Makefile | 3 +- + .../ethernet/mellanox/mlx5/core/esw/bridge.c | 4 + + .../ethernet/mellanox/mlx5/core/esw/bridge.h | 2 + + .../mellanox/mlx5/core/esw/bridge_debugfs.c | 89 +++++++++++++++++++ + .../mellanox/mlx5/core/esw/bridge_priv.h | 6 ++ + 5 files changed, 103 insertions(+), 1 deletion(-) + create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_debugfs.c + +--- a/drivers/net/ethernet/mellanox/mlx5/core/Makefile ++++ b/drivers/net/ethernet/mellanox/mlx5/core/Makefile +@@ -60,7 +60,8 @@ mlx5_core-$(CONFIG_MLX5_ESWITCH) += es + esw/acl/egress_lgcy.o esw/acl/egress_ofld.o \ + esw/acl/ingress_lgcy.o esw/acl/ingress_ofld.o + +-mlx5_core-$(CONFIG_MLX5_BRIDGE) += esw/bridge.o esw/bridge_mcast.o en/rep/bridge.o ++mlx5_core-$(CONFIG_MLX5_BRIDGE) += esw/bridge.o esw/bridge_mcast.o esw/bridge_debugfs.o \ ++ en/rep/bridge.o + + mlx5_core-$(CONFIG_MLX5_MPFS) += lib/mpfs.o + mlx5_core-$(CONFIG_VXLAN) += lib/vxlan.o +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +@@ -850,6 +850,7 @@ static struct mlx5_esw_bridge *mlx5_esw_ + bridge->ageing_time = clock_t_to_jiffies(BR_DEFAULT_AGEING_TIME); + bridge->vlan_proto = ETH_P_8021Q; + list_add(&bridge->list, &br_offloads->bridges); ++ mlx5_esw_bridge_debugfs_init(br_netdev, bridge); + + return bridge; + +@@ -873,6 +874,7 @@ static void mlx5_esw_bridge_put(struct m + if (--bridge->refcnt) + return; + ++ mlx5_esw_bridge_debugfs_cleanup(bridge); + mlx5_esw_bridge_egress_table_cleanup(bridge); + mlx5_esw_bridge_mcast_disable(bridge); + list_del(&bridge->list); +@@ -1890,6 +1892,7 @@ struct mlx5_esw_bridge_offloads *mlx5_es + xa_init(&br_offloads->ports); + br_offloads->esw = esw; + esw->br_offloads = br_offloads; ++ mlx5_esw_bridge_debugfs_offloads_init(br_offloads); + + return br_offloads; + } +@@ -1905,6 +1908,7 @@ void mlx5_esw_bridge_cleanup(struct mlx5 + + mlx5_esw_bridge_flush(br_offloads); + WARN_ON(!xa_empty(&br_offloads->ports)); ++ mlx5_esw_bridge_debugfs_offloads_cleanup(br_offloads); + + esw->br_offloads = NULL; + kvfree(br_offloads); +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.h +@@ -10,6 +10,7 @@ + #include + #include "eswitch.h" + ++struct dentry; + struct mlx5_flow_table; + struct mlx5_flow_group; + +@@ -17,6 +18,7 @@ struct mlx5_esw_bridge_offloads { + struct mlx5_eswitch *esw; + struct list_head bridges; + struct xarray ports; ++ struct dentry *debugfs_root; + + struct notifier_block netdev_nb; + struct notifier_block nb_blk; +--- /dev/null ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_debugfs.c +@@ -0,0 +1,89 @@ ++// SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB ++/* Copyright (c) 2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved. */ ++ ++#include ++#include "bridge.h" ++#include "bridge_priv.h" ++ ++static void *mlx5_esw_bridge_debugfs_start(struct seq_file *seq, loff_t *pos); ++static void *mlx5_esw_bridge_debugfs_next(struct seq_file *seq, void *v, loff_t *pos); ++static void mlx5_esw_bridge_debugfs_stop(struct seq_file *seq, void *v); ++static int mlx5_esw_bridge_debugfs_show(struct seq_file *seq, void *v); ++ ++static const struct seq_operations mlx5_esw_bridge_debugfs_sops = { ++ .start = mlx5_esw_bridge_debugfs_start, ++ .next = mlx5_esw_bridge_debugfs_next, ++ .stop = mlx5_esw_bridge_debugfs_stop, ++ .show = mlx5_esw_bridge_debugfs_show, ++}; ++DEFINE_SEQ_ATTRIBUTE(mlx5_esw_bridge_debugfs); ++ ++static void *mlx5_esw_bridge_debugfs_start(struct seq_file *seq, loff_t *pos) ++{ ++ struct mlx5_esw_bridge *bridge = seq->private; ++ ++ rtnl_lock(); ++ return *pos ? seq_list_start(&bridge->fdb_list, *pos - 1) : SEQ_START_TOKEN; ++} ++ ++static void *mlx5_esw_bridge_debugfs_next(struct seq_file *seq, void *v, loff_t *pos) ++{ ++ struct mlx5_esw_bridge *bridge = seq->private; ++ ++ return seq_list_next(v == SEQ_START_TOKEN ? &bridge->fdb_list : v, &bridge->fdb_list, pos); ++} ++ ++static void mlx5_esw_bridge_debugfs_stop(struct seq_file *seq, void *v) ++{ ++ rtnl_unlock(); ++} ++ ++static int mlx5_esw_bridge_debugfs_show(struct seq_file *seq, void *v) ++{ ++ struct mlx5_esw_bridge_fdb_entry *entry; ++ u64 packets, bytes, lastuse; ++ ++ if (v == SEQ_START_TOKEN) { ++ seq_printf(seq, "%-16s %-17s %4s %20s %20s %20s %5s\n", ++ "DEV", "MAC", "VLAN", "PACKETS", "BYTES", "LASTUSE", "FLAGS"); ++ return 0; ++ } ++ ++ entry = list_entry(v, struct mlx5_esw_bridge_fdb_entry, list); ++ mlx5_fc_query_cached_raw(entry->ingress_counter, &bytes, &packets, &lastuse); ++ seq_printf(seq, "%-16s %-17pM %4d %20llu %20llu %20llu %#5x\n", ++ entry->dev->name, entry->key.addr, entry->key.vid, packets, bytes, lastuse, ++ entry->flags); ++ return 0; ++} ++ ++void mlx5_esw_bridge_debugfs_init(struct net_device *br_netdev, struct mlx5_esw_bridge *bridge) ++{ ++ if (!bridge->br_offloads->debugfs_root) ++ return; ++ ++ bridge->debugfs_dir = debugfs_create_dir(br_netdev->name, ++ bridge->br_offloads->debugfs_root); ++ debugfs_create_file("fdb", 0444, bridge->debugfs_dir, bridge, ++ &mlx5_esw_bridge_debugfs_fops); ++} ++ ++void mlx5_esw_bridge_debugfs_cleanup(struct mlx5_esw_bridge *bridge) ++{ ++ debugfs_remove_recursive(bridge->debugfs_dir); ++ bridge->debugfs_dir = NULL; ++} ++ ++void mlx5_esw_bridge_debugfs_offloads_init(struct mlx5_esw_bridge_offloads *br_offloads) ++{ ++ if (!br_offloads->esw->debugfs_root) ++ return; ++ ++ br_offloads->debugfs_root = debugfs_create_dir("bridge", br_offloads->esw->debugfs_root); ++} ++ ++void mlx5_esw_bridge_debugfs_offloads_cleanup(struct mlx5_esw_bridge_offloads *br_offloads) ++{ ++ debugfs_remove_recursive(br_offloads->debugfs_root); ++ br_offloads->debugfs_root = NULL; ++} +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge_priv.h +@@ -199,6 +199,7 @@ struct mlx5_esw_bridge { + int refcnt; + struct list_head list; + struct mlx5_esw_bridge_offloads *br_offloads; ++ struct dentry *debugfs_dir; + + struct list_head fdb_list; + struct rhashtable fdb_ht; +@@ -241,4 +242,9 @@ void mlx5_esw_bridge_port_mdb_vlan_flush + struct mlx5_esw_bridge_vlan *vlan); + void mlx5_esw_bridge_mdb_flush(struct mlx5_esw_bridge *bridge); + ++void mlx5_esw_bridge_debugfs_offloads_init(struct mlx5_esw_bridge_offloads *br_offloads); ++void mlx5_esw_bridge_debugfs_offloads_cleanup(struct mlx5_esw_bridge_offloads *br_offloads); ++void mlx5_esw_bridge_debugfs_init(struct net_device *br_netdev, struct mlx5_esw_bridge *bridge); ++void mlx5_esw_bridge_debugfs_cleanup(struct mlx5_esw_bridge *bridge); ++ + #endif /* _MLX5_ESW_BRIDGE_PRIVATE_ */ +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_counters.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_counters.c +@@ -430,6 +430,16 @@ u64 mlx5_fc_query_lastuse(struct mlx5_fc + return counter->cache.lastuse; + } + ++void mlx5_fc_query_cached_raw(struct mlx5_fc *counter, ++ u64 *bytes, u64 *packets, u64 *lastuse) ++{ ++ struct mlx5_fc_cache c = counter->cache; ++ ++ *bytes = c.bytes; ++ *packets = c.packets; ++ *lastuse = c.lastuse; ++} ++ + void mlx5_fc_query_cached(struct mlx5_fc *counter, + u64 *bytes, u64 *packets, u64 *lastuse) + { +--- a/include/linux/mlx5/fs.h ++++ b/include/linux/mlx5/fs.h +@@ -248,6 +248,8 @@ void mlx5_fc_destroy(struct mlx5_core_de + u64 mlx5_fc_query_lastuse(struct mlx5_fc *counter); + void mlx5_fc_query_cached(struct mlx5_fc *counter, + u64 *bytes, u64 *packets, u64 *lastuse); ++void mlx5_fc_query_cached_raw(struct mlx5_fc *counter, ++ u64 *bytes, u64 *packets, u64 *lastuse); + int mlx5_fc_query(struct mlx5_core_dev *dev, struct mlx5_fc *counter, + u64 *packets, u64 *bytes); + u32 mlx5_fc_id(struct mlx5_fc *counter); diff --git a/SPECS/kernel-hci/0085-net-mlx5-DR-Align-mlx5dv_dr-API-vport-action-with-FW.patch b/SPECS/kernel-hci/0085-net-mlx5-DR-Align-mlx5dv_dr-API-vport-action-with-FW.patch new file mode 100644 index 00000000000..91413bb0273 --- /dev/null +++ b/SPECS/kernel-hci/0085-net-mlx5-DR-Align-mlx5dv_dr-API-vport-action-with-FW.patch @@ -0,0 +1,47 @@ +From aa818fbf8f36e8c6f3e608ea960567906c2d6112 Mon Sep 17 00:00:00 2001 +From: Shun Hao +Date: Mon, 17 Jan 2022 14:01:12 +0200 +Subject: [PATCH] net/mlx5: DR, Align mlx5dv_dr API vport action with FW + behavior + +This aligns the behavior with FW when creating an FDB rule with wire +vport destination but no source port matching. Until now such rules +would fail on internal DR RX rule creation since the source and +destination are the wire vport. +The new behavior is the same as done on FW steering, if destination is +wire, we will create both TX and RX rules, but the RX packet coming from +wire will be dropped due to loopback not supported. + +Signed-off-by: Shun Hao +Reviewed-by: Alex Vesker +Signed-off-by: Saeed Mahameed +--- + .../ethernet/mellanox/mlx5/core/steering/dr_action.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +index c61a5e83c78c..743422acc3d8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +@@ -669,15 +669,9 @@ int mlx5dr_actions_build_ste_arr(struct mlx5dr_matcher *matcher, + case DR_ACTION_TYP_VPORT: + attr.hit_gvmi = action->vport->caps->vhca_gvmi; + dest_action = action; +- if (rx_rule) { +- if (action->vport->caps->num == MLX5_VPORT_UPLINK) { +- mlx5dr_dbg(dmn, "Device doesn't support Loopback on WIRE vport\n"); +- return -EOPNOTSUPP; +- } +- attr.final_icm_addr = action->vport->caps->icm_address_rx; +- } else { +- attr.final_icm_addr = action->vport->caps->icm_address_tx; +- } ++ attr.final_icm_addr = rx_rule ? ++ action->vport->caps->icm_address_rx : ++ action->vport->caps->icm_address_tx; + break; + case DR_ACTION_TYP_POP_VLAN: + if (!rx_rule && !(dmn->ste_ctx->actions_caps & +-- +2.33.2 + diff --git a/SPECS/kernel-hci/0086-net-mlx5-Lag-add-debugfs-to-query-hardware-lag-state.patch b/SPECS/kernel-hci/0086-net-mlx5-Lag-add-debugfs-to-query-hardware-lag-state.patch new file mode 100755 index 00000000000..1a1d770e7e1 --- /dev/null +++ b/SPECS/kernel-hci/0086-net-mlx5-Lag-add-debugfs-to-query-hardware-lag-state.patch @@ -0,0 +1,286 @@ +From 66a6f7cc7fcf5ea8d09fc0dc414946447e4a584a Mon Sep 17 00:00:00 2001 +From: Mark Bloch +Date: Tue, 15 Mar 2022 16:56:50 +0000 +Subject: [PATCH] net/mlx5: Lag, add debugfs to query hardware lag state + +Lag state has become very complicated with many modes, flags, types and +port selections methods and future work will add additional features. + +Add a debugfs to query the current lag state. A new directory named "lag" +will be created under the mlx5 debugfs directory. As the driver has +debugfs per pci function the location will be: /mlx5//lag + +For example: +/sys/kernel/debug/mlx5/0000:08:00.0/lag + +The following files are exposed: + +- state: Returns "active" or "disabled". If "active" it means hardware + lag is active. + +- members: Returns the BDFs of all the members of lag object. + +- type: Returns the type of the lag currently configured. Valid only + if hardware lag is active. + * "roce" - Members are bare metal PFs. + * "switchdev" - Members are in switchdev mode. + * "multipath" - ECMP offloads. + +- port_sel_mode: Returns the egress port selection method, valid + only if hardware lag is active. + * "queue_affinity" - Egress port is selected by + the QP/SQ affinity. + * "hash" - Egress port is selected by hash done on + each packet. Controlled by: xmit_hash_policy of the + bond device. +- flags: Returns flags that are specific per lag @type. Valid only if + hardware lag is active. + * "shared_fdb" - "on" or "off", if "on" single FDB is used. + +- mapping: Returns the mapping which is used to select egress port. + Valid only if hardware lag is active. + If @port_sel_mode is "hash" returns the active egress ports. + The hash result will select only active ports. + if @port_sel_mode is "queue_affinity" returns the mapping + between the configured port affinity of the QP/SQ and actual + egress port. For example: + * 1:1 - Mapping means if the configured affinity is port 1 + traffic will egress via port 1. + * 1:2 - Mapping means if the configured affinity is port 1 + traffic will egress via port 2. This can happen + if port 1 is down or in active/backup mode and port 1 + is backup. + +Signed-off-by: Mark Bloch +Signed-off-by: Saeed Mahameed +--- + .../net/ethernet/mellanox/mlx5/core/Makefile | 2 +- + .../ethernet/mellanox/mlx5/core/lag/debugfs.c | 123 ++++++++++++++++++ + .../net/ethernet/mellanox/mlx5/core/lag/lag.c | 9 +- + .../net/ethernet/mellanox/mlx5/core/lag/lag.h | 8 ++ + include/linux/mlx5/driver.h | 1 + + 5 files changed, 140 insertions(+), 3 deletions(-) + create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/lag/debugfs.c + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/Makefile b/drivers/net/ethernet/mellanox/mlx5/core/Makefile +index f4f69ed17954..f39903d2b0d2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/Makefile ++++ b/drivers/net/ethernet/mellanox/mlx5/core/Makefile +@@ -14,7 +14,7 @@ obj-$(CONFIG_MLX5_CORE) += mlx5_core.o + mlx5_core-y := main.o cmd.o debugfs.o fw.o eq.o uar.o pagealloc.o \ + health.o mcg.o cq.o alloc.o port.o mr.o pd.o \ + transobj.o vport.o sriov.o fs_cmd.o fs_core.o pci_irq.o \ +- fs_counters.o fs_ft_pool.o rl.o lag/lag.o dev.o events.o wq.o lib/gid.o \ ++ fs_counters.o fs_ft_pool.o rl.o lag/debugfs.o lag/lag.o dev.o events.o wq.o lib/gid.o \ + lib/devcom.o lib/pci_vsc.o lib/dm.o lib/fs_ttc.o diag/fs_tracepoint.o \ + diag/fw_tracer.o diag/crdump.o devlink.o diag/rsc_dump.o \ + fw_reset.o qos.o +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/debugfs.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/debugfs.c +new file mode 100644 +index 000000000000..bf4f179374a9 +--- /dev/null ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/debugfs.c +@@ -0,0 +1,123 @@ ++// SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB ++/* Copyright (c) 2022, NVIDIA CORPORATION & AFFILIATES. All rights reserved. */ ++ ++#include "lag.h" ++ ++static char *get_str_mode_type(struct mlx5_lag *ldev) ++{ ++ if (ldev->flags & MLX5_LAG_FLAG_ROCE) ++ return "roce"; ++ if (ldev->flags & MLX5_LAG_FLAG_SRIOV) ++ return "switchdev"; ++ if (ldev->flags & MLX5_LAG_FLAG_MULTIPATH) ++ return "multipath"; ++ ++ return NULL; ++} ++ ++static int type_show(struct seq_file *file, void *priv) ++{ ++ struct mlx5_core_dev *dev = file->private; ++ struct mlx5_lag *ldev; ++ char *mode = NULL; ++ ++ ldev = dev->priv.lag; ++ if (__mlx5_lag_is_active(ldev)) ++ mode = get_str_mode_type(ldev); ++ if (!mode) ++ return -EINVAL; ++ seq_printf(file, "%s\n", mode); ++ ++ return 0; ++} ++ ++static int port_sel_mode_show(struct seq_file *file, void *priv) ++{ ++ struct mlx5_core_dev *dev = file->private; ++ struct mlx5_lag *ldev; ++ int ret = 0; ++ char *mode; ++ ++ ldev = dev->priv.lag; ++ if (__mlx5_lag_is_active(ldev)) ++ mode = get_str_port_sel_mode(ldev->flags); ++ else ++ ret = -EINVAL; ++ if (ret || !mode) ++ return ret; ++ ++ seq_printf(file, "%s\n", mode); ++ return 0; ++} ++ ++static int state_show(struct seq_file *file, void *priv) ++{ ++ struct mlx5_core_dev *dev = file->private; ++ struct mlx5_lag *ldev; ++ bool active; ++ ++ ldev = dev->priv.lag; ++ active = __mlx5_lag_is_active(ldev); ++ seq_printf(file, "%s\n", active ? "active" : "disabled"); ++ return 0; ++} ++ ++static int flags_show(struct seq_file *file, void *priv) ++{ ++ struct mlx5_core_dev *dev = file->private; ++ struct mlx5_lag *ldev; ++ bool shared_fdb; ++ bool lag_active; ++ ++ ldev = dev->priv.lag; ++ lag_active = __mlx5_lag_is_active(ldev); ++ if (lag_active) ++ shared_fdb = ldev->shared_fdb; ++ ++ if (!lag_active) ++ return -EINVAL; ++ ++ seq_printf(file, "%s:%s\n", "shared_fdb", shared_fdb ? "on" : "off"); ++ return 0; ++} ++ ++static int mapping_show(struct seq_file *file, void *priv) ++{ ++ struct mlx5_core_dev *dev = file->private; ++ struct mlx5_lag *ldev; ++ bool lag_active; ++ ++ ldev = dev->priv.lag; ++ lag_active = __mlx5_lag_is_active(ldev); ++ if (!lag_active) ++ return -EINVAL; ++ ++ seq_printf(file, "1:%d 2:%d\n", ldev->v2p_map[0], ldev->v2p_map[1]); ++ ++ return 0; ++} ++ ++DEFINE_SHOW_ATTRIBUTE(type); ++DEFINE_SHOW_ATTRIBUTE(port_sel_mode); ++DEFINE_SHOW_ATTRIBUTE(state); ++DEFINE_SHOW_ATTRIBUTE(flags); ++DEFINE_SHOW_ATTRIBUTE(mapping); ++ ++void mlx5_ldev_add_debugfs(struct mlx5_core_dev *dev) ++{ ++ struct dentry *dbg; ++ ++ dbg = debugfs_create_dir("lag", dev->priv.dbg_root); ++ dev->priv.lag_debugfs = dbg; ++ ++ debugfs_create_file("type", 0444, dbg, dev, &type_fops); ++ debugfs_create_file("port_sel_mode", 0444, dbg, dev, &port_sel_mode_fops); ++ debugfs_create_file("state", 0444, dbg, dev, &state_fops); ++ debugfs_create_file("flags", 0444, dbg, dev, &flags_fops); ++ debugfs_create_file("mapping", 0444, dbg, dev, &mapping_fops); ++} ++ ++void mlx5_ldev_remove_debugfs(struct dentry *dbg) ++{ ++ debugfs_remove_recursive(dbg); ++} +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +index 1301f8f98cd8..820a15633cc9 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +@@ -181,7 +181,7 @@ static bool __mlx5_lag_is_sriov(struct mlx5_lag *ldev) + return !!(ldev->flags & MLX5_LAG_FLAG_SRIOV); + } + +-static void mlx5_infer_tx_affinity_mapping(struct lag_tracker *tracker, ++void mlx5_infer_tx_affinity_mapping(struct lag_tracker *tracker, + u8 *port1, u8 *port2) + { + bool p1en; +@@ -253,7 +253,7 @@ static void mlx5_lag_set_port_sel_mode(struct mlx5_lag *ldev, + *flags |= MLX5_LAG_FLAG_HASH_BASED; + } + +-static char *get_str_port_sel_mode(u8 flags) ++char *get_str_port_sel_mode(u8 flags) + { + if (flags & MLX5_LAG_FLAG_HASH_BASED) + return "hash"; +@@ -833,6 +833,10 @@ void mlx5_lag_remove_mdev(struct mlx5_core_dev *dev) + if (!ldev) + return; + ++ /* mdev is being removed, might as well remove debugfs ++ * as early as possible. ++ */ ++ mlx5_ldev_remove_debugfs(dev->priv.lag_debugfs); + recheck: + mlx5_dev_list_lock(); + if (ldev->mode_changes_in_progress) { +@@ -863,6 +867,7 @@ void mlx5_lag_add_mdev(struct mlx5_core_dev *dev) + goto recheck; + } + mlx5_dev_list_unlock(); ++ mlx5_ldev_add_debugfs(dev); + } + + /* Must be called with intf_mutex held */ +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h +index e5d231c31b54..448e4ef0541d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h +@@ -4,6 +4,7 @@ + #ifndef __MLX5_LAG_H__ + #define __MLX5_LAG_H__ + ++#include + #include "mlx5_core.h" + #include "mp.h" + #include "port_sel.h" +@@ -83,4 +84,11 @@ int mlx5_activate_lag(struct mlx5_lag *ldev, + int mlx5_lag_dev_get_netdev_idx(struct mlx5_lag *ldev, + struct net_device *ndev); + ++char *get_str_port_sel_mode(u8 flags); ++void mlx5_infer_tx_enabled(struct lag_tracker *tracker, u8 num_ports, ++ u8 *ports, int *num_enabled); ++ ++void mlx5_ldev_add_debugfs(struct mlx5_core_dev *dev); ++void mlx5_ldev_remove_debugfs(struct dentry *dbg); ++ + #endif /* __MLX5_LAG_H__ */ +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index f17d2101af7a..54a6e012a620 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -578,6 +578,7 @@ struct mlx5_priv { + struct dentry *eq_debugfs; + struct dentry *cq_debugfs; + struct dentry *cmdif_debugfs; ++ struct dentry *lag_debugfs; + /* end: qp staff */ + + /* start: alloc staff */ +-- +2.21.3 + diff --git a/SPECS/kernel-hci/config b/SPECS/kernel-hci/config index ab84b891ad4..727b2cb9320 100644 --- a/SPECS/kernel-hci/config +++ b/SPECS/kernel-hci/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.145.2 Kernel Configuration +# Linux/x86_64 5.15.148.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-hci/kernel-hci.signatures.json b/SPECS/kernel-hci/kernel-hci.signatures.json index 7231a6a51ea..eeaf23585a7 100644 --- a/SPECS/kernel-hci/kernel-hci.signatures.json +++ b/SPECS/kernel-hci/kernel-hci.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "711fe10570a682f6aada220356e3e7ddd4a27713a7a821dc9fc6128b89709e44", - "kernel-5.15.145.2.tar.gz": "5f09cdfe9d04b035d98d5aa5b22dd03e3cd6350ace51dab5c3ceea9283da7b0a" + "config": "bf4cb3afab12b14653e3fff9901ac4b3925b356fc588ee4e10336d3c58cc0d90", + "kernel-5.15.148.1.tar.gz": "e77c297fe3e3f0d9fd403c52f1e959389fa33e6642be9ddd12d4ea7f8927e5d6" } } \ No newline at end of file diff --git a/SPECS/kernel-hci/kernel-hci.spec b/SPECS/kernel-hci/kernel-hci.spec index 43e172007a7..e44037c26ce 100644 --- a/SPECS/kernel-hci/kernel-hci.spec +++ b/SPECS/kernel-hci/kernel-hci.spec @@ -17,7 +17,7 @@ %define config_source %{SOURCE1} Summary: Linux Kernel for HCI Name: kernel-hci -Version: 5.15.145.2 +Version: 5.15.148.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -54,7 +54,65 @@ Patch23: 0024-net-mlx5-Bridge-extract-VLAN-push-pop-actions-creati.patch Patch24: 0025-net-mlx5-Bridge-implement-infrastructure-for-VLAN-pr.patch Patch25: 0026-net-mlx5-Bridge-implement-QinQ-support.patch Patch26: 0027-mstflint-This-driver-enables-under-the-secure-boot.patch -Patch27: 0028-net-mlx5-Bridge-use-debug-not-warn-if-entry-not-found.patch +Patch27: 0028-net-mlx5-Bridge-Use-debug-instead-of-warn-if-entry-d.patch +Patch28: 0029-Revert-net-mlx5-DR-Fix-uninitialized-var-warning.patch +Patch29: 0030-net-mlx5-DR-Fix-code-indentation-in-dr_ste_v1.patch +Patch30: 0031-net-mlx5-DR-Fix-vport-number-data-type-to-u16.patch +Patch31: 0032-net-mlx5-DR-Replace-local-WIRE_PORT-macro-with-the-e.patch +Patch32: 0033-net-mlx5-DR-Add-missing-query-for-vport-0.patch +Patch33: 0034-net-mlx5-DR-Align-error-messages-for-failure-to-obta.patch +Patch34: 0035-net-mlx5-DR-Support-csum-recalculation-flow-table-on.patch +Patch35: 0036-net-mlx5-DR-Add-support-for-SF-vports.patch +Patch36: 0037-net-mlx5-DR-Increase-supported-num-of-actions-to-32.patch +Patch37: 0038-net-mlx5-DR-Fix-typo-offeset-to-offset.patch +Patch38: 0039-net-mlx5-DR-init_next_match-only-if-needed.patch +Patch39: 0040-net-mlx5-DR-Add-check-for-unsupported-fields-in-matc.patch +Patch40: 0041-net-mlx5-DR-Fix-check-for-unsupported-fields-in-matc.patch +Patch41: 0042-net-mlx5-DR-Fix-error-flow-in-creating-matcher.patch +Patch42: 0043-net-mlx5-DR-Fix-lower-case-macro-prefix-mlx5_-to-MLX.patch +Patch43: 0044-net-mlx5-DR-Remove-unused-struct-member-in-matcher.patch +Patch44: 0045-net-mlx5-DR-Add-check-for-flex-parser-ID-value.patch +Patch45: 0046-net-mlx5-DR-Add-missing-reserved-fields-to-dr_match_.patch +Patch46: 0047-net-mlx5-DR-Add-support-for-dumping-steering-info.patch +Patch47: 0048-net-mlx5-DR-Add-support-for-UPLINK-destination-type.patch +Patch48: 0049-net-mlx5-DR-Warn-on-failure-to-destroy-objects-due-t.patch +Patch49: 0050-net-mlx5-Add-misc5-flow-table-match-parameters.patch +Patch50: 0051-net-mlx5-DR-Add-misc5-to-match_param-structs.patch +Patch51: 0052-net-mlx5-DR-Support-matching-on-tunnel-headers-0-and.patch +Patch52: 0053-net-mlx5-DR-Add-support-for-matching-on-geneve_tlv_o.patch +Patch53: 0054-net-mlx5-DR-Improve-steering-for-empty-or-RX-TX-only.patch +Patch54: 0055-net-mlx5-DR-Ignore-modify-TTL-if-device-doesn-t-supp.patch +Patch55: 0056-net-mlx5-Add-ability-to-insert-to-specific-flow-grou.patch +Patch56: 0057-net-mlx5-E-Switch-reserve-and-use-same-uplink-metada.patch +Patch57: 0058-net-mlx5-E-switch-remove-special-uplink-ingress-ACL-.patch +Patch58: 0059-net-mlx5-E-switch-add-drop-rule-support-to-ingress-A.patch +Patch59: 0060-net-mlx5-Lag-use-local-variable-already-defined-to-a.patch +Patch60: 0061-net-mlx5-Lag-don-t-use-magic-numbers-for-ports.patch +Patch61: 0062-net-mlx5-Lag-record-inactive-state-of-bond-device.patch +Patch62: 0063-net-mlx5-Lag-offload-active-backup-drops-to-hardware.patch +Patch63: 0064-net-mlx5-Add-mlx5_ifc-definitions-for-bridge-multica.patch +Patch64: 0065-net-mlx5-Bridge-increase-bridge-tables-sizes.patch +Patch65: 0066-net-mlx5-Bridge-move-additional-data-structures-to-p.patch +Patch66: 0067-net-mlx5-Bridge-extract-code-to-lookup-parent-bridge.patch +Patch67: 0068-net-mlx5-Bridge-snoop-igmp-mld-packets.patch +Patch68: 0069-net-mlx5-Bridge-add-per-port-multicast-replication-t.patch +Patch69: 0070-net-mlx5-Bridge-support-multicast-VLAN-pop.patch +Patch70: 0071-netlink-add-support-for-formatted-extack-messages.patch +Patch71: 0072-net-mlx5-Bridge-implement-mdb-offload.patch +Patch72: 0073-net-mlx5-Bridge-add-tracepoints-for-multicast.patch +Patch73: 0074-net-mlx5-DR-Fix-uninitialized-var-warning.patch +Patch74: 0075-net-mlx5-Fix-matching-on-inner-TTC.patch +Patch75: 0076-net-mlx5-Lag-fix-a-potential-Oops-with-mlx5_lag_crea.patch +Patch76: 0077-net-mlx5-DR-Fix-SMFS-steering-info-dump-format.patch +Patch77: 0078-net-mlx5-DR-Fix-matcher-disconnect-error-flow.patch +Patch78: 0079-net-mlx5-DR-Ignore-modify-TTL-on-RX-if-device-doesn-.patch +Patch79: 0080-net-mlx5-DR-Handle-eswitch-manager-and-uplink-vports.patch +Patch80: 0081-net-mlx5-DR-Fix-slab-out-of-bounds-in-mlx5_cmd_dr_cr.patch +Patch81: 0082-net-mlx5-Create-eswitch-debugfs-root-directory.patch +Patch82: 0083-net-mlx5-Bridge-pass-net-device-when-linking-vport-t.patch +Patch83: 0084-net-mlx5-Bridge-expose-FDB-state-via-debugfs.patch +Patch84: 0085-net-mlx5-DR-Align-mlx5dv_dr-API-vport-action-with-FW.patch +Patch85: 0086-net-mlx5-Lag-add-debugfs-to-query-hardware-lag-state.patch BuildRequires: audit-devel BuildRequires: bash BuildRequires: bc @@ -200,6 +258,64 @@ manipulation of eBPF programs and maps. %patch25 -p1 %patch26 -p1 %patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 +%patch32 -p1 +%patch33 -p1 +%patch34 -p1 +%patch35 -p1 +%patch36 -p1 +%patch37 -p1 +%patch38 -p1 +%patch39 -p1 +%patch40 -p1 +%patch41 -p1 +%patch42 -p1 +%patch43 -p1 +%patch44 -p1 +%patch45 -p1 +%patch46 -p1 +%patch47 -p1 +%patch48 -p1 +%patch49 -p1 +%patch50 -p1 +%patch51 -p1 +%patch52 -p1 +%patch53 -p1 +%patch54 -p1 +%patch55 -p1 +%patch56 -p1 +%patch57 -p1 +%patch58 -p1 +%patch59 -p1 +%patch60 -p1 +%patch61 -p1 +%patch62 -p1 +%patch63 -p1 +%patch64 -p1 +%patch65 -p1 +%patch66 -p1 +%patch67 -p1 +%patch68 -p1 +%patch69 -p1 +%patch70 -p1 +%patch71 -p1 +%patch72 -p1 +%patch73 -p1 +%patch74 -p1 +%patch75 -p1 +%patch76 -p1 +%patch77 -p1 +%patch78 -p1 +%patch79 -p1 +%patch80 -p1 +%patch81 -p1 +%patch82 -p1 +%patch83 -p1 +%patch84 -p1 +%patch85 -p1 make mrproper @@ -435,6 +551,19 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Tue Jan 30 2024 CBL-Mariner Servicing Account - 5.15.148.1-1 +- Auto-upgrade to 5.15.148.1 + +* Thu Jan 25 2024 CBL-Mariner Servicing Account - 5.15.147.1-1 +- Auto-upgrade to 5.15.147.1 + +* Thu Jan 25 2024 Vince Perri - 5.15.145.2-3 +- Add net/mlx5 patches (28-85) that backports upstream near-edge improvements and support for 100GB BOM. + +* Mon Jan 22 2024 Vince Perri - 5.15.145.2-2 +- Fix header for patch 27 and rename to +- 0028-net-mlx5-Bridge-Use-debug-instead-of-warn-if-entry-d.patch + * Tue Jan 16 2024 Gary Swalling - 5.15.145.2-1 - Update to 5.15.145.2 diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json index 4d087f9ab56..59666933649 100644 --- a/SPECS/kernel-headers/kernel-headers.signatures.json +++ b/SPECS/kernel-headers/kernel-headers.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "kernel-5.15.145.2.tar.gz": "5f09cdfe9d04b035d98d5aa5b22dd03e3cd6350ace51dab5c3ceea9283da7b0a" + "kernel-5.15.148.1.tar.gz": "e77c297fe3e3f0d9fd403c52f1e959389fa33e6642be9ddd12d4ea7f8927e5d6" } } diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 1eb2c7677e5..d03ece82335 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -1,14 +1,24 @@ +# This package doesn't contain any binaries, thus no debuginfo package is needed. +%global debug_package %{nil} + +%if "%{_arch}" == "x86_64" + %global build_cross 1 + %define cross_archs arm64 +%else + %global build_cross 0 + %define cross_archs %{nil} +%endif + Summary: Linux API header files Name: kernel-headers -Version: 5.15.145.2 +Version: 5.15.148.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner Group: System Environment/Kernel URL: https://github.com/microsoft/CBL-Mariner-Linux-Kernel -#Source0: https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/%%{version}.tar.gz -Source0: kernel-%{version}.tar.gz +Source0: https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/%{version}.tar.gz#/kernel-%{version}.tar.gz # Historical name shipped by other distros Provides: glibc-kernheaders = %{version}-%{release} BuildArch: noarch @@ -16,26 +26,66 @@ BuildArch: noarch %description The Linux API Headers expose the kernel's API for use by Glibc. +%if %{build_cross} +%package -n kernel-cross-headers +Summary: Header files for the Linux kernel for use by cross-glibc. + +%description -n kernel-cross-headers +Kernel-cross-headers includes the C header files that specify the interface +between the Linux kernel and userspace libraries and programs. The +header files define structures and constants that are needed for +building most standard programs and are also needed for rebuilding the +cross-glibc package. +%endif + %prep %setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-2-%{version} %build make mrproper +make headers + +for cross_arch in %{cross_archs}; do + make ARCH=$cross_arch O=usr/include-$cross_arch headers +done %install -cd %{_builddir}/CBL-Mariner-Linux-Kernel-rolling-lts-mariner-2-%{version} -make headers -find usr/include -name '.*' -delete -rm usr/include/Makefile +find usr/include* \( -name ".*" -o -name "Makefile" \) -delete + mkdir -p /%{buildroot}%{_includedir} cp -rv usr/include/* /%{buildroot}%{_includedir} +for cross_arch in %{cross_archs}; do + cross_arch_includedir=/%{buildroot}%{_prefix}/${cross_arch}-linux-gnu/include + mkdir -p $cross_arch_includedir + cp -rv usr/include-$cross_arch/usr/include/* $cross_arch_includedir +done + %files %defattr(-,root,root) %license COPYING %{_includedir}/* +%if %{build_cross} +%files -n kernel-cross-headers +%defattr(-,root,root) +%{_prefix}/*-linux-gnu/* +%endif + %changelog +* Tue Jan 30 2024 CBL-Mariner Servicing Account - 5.15.148.1-1 +- Auto-upgrade to 5.15.148.1 + +* Thu Jan 25 2024 CBL-Mariner Servicing Account - 5.15.147.1-1 +- Auto-upgrade to 5.15.147.1 + +* Thu Jan 18 2024 Rachel Menge - 5.15.145.2-3 +- Bump release to match kernel + +* Wed Jan 17 2024 Pawel Winogrodzki - 5.15.145.2-2 +- Add the 'kernel-cross-headers' subpackage for aarch64. +- Used Fedora 38 spec (license: MIT) for guidance. + * Tue Jan 16 2024 Gary Swalling - 5.15.145.2-1 - Update to 5.15.145.2 @@ -69,7 +119,7 @@ cp -rv usr/include/* /%{buildroot}%{_includedir} * Tue Sep 26 2023 CBL-Mariner Servicing Account - 5.15.133.1-1 - Auto-upgrade to 5.15.133.1 -* Tue Sep 22 2023 Cameron Baird - 5.15.131.1-3 +* Fri Sep 22 2023 Cameron Baird - 5.15.131.1-3 - Bump release to match kernel * Wed Sep 20 2023 Jon Slobodzian - 5.15.131.1-2 diff --git a/SPECS/kernel-mos/config b/SPECS/kernel-mos/config index 62aef02fa34..f99e01c27de 100644 --- a/SPECS/kernel-mos/config +++ b/SPECS/kernel-mos/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.145.2 Kernel Configuration +# Linux/x86_64 5.15.148.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-mos/kernel-mos.signatures.json b/SPECS/kernel-mos/kernel-mos.signatures.json index bb7bfd03e87..e915674eee3 100644 --- a/SPECS/kernel-mos/kernel-mos.signatures.json +++ b/SPECS/kernel-mos/kernel-mos.signatures.json @@ -1,8 +1,8 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "e71a75a38b7c1fd108bb7689b59c0e14c45ed330339c096c02e74ec8f05f47e7", + "config": "5e3be1a1f889d4b5725b1a1b357297069bbecfcfb94196924f01fc2b9a2fd94c", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-mos-5.15.145.2.tar.gz": "5697065566072bbc923f416e8c861f2974e544b2d65accda530b3e690a610020" + "kernel-mos-5.15.148.1.tar.gz": "534b949ce6973b76c9c342696faf459305ca90b18f2e95a5f1ef676a696e0e0d" } } diff --git a/SPECS/kernel-mos/kernel-mos.spec b/SPECS/kernel-mos/kernel-mos.spec index 55c500e403d..868b23d87d9 100644 --- a/SPECS/kernel-mos/kernel-mos.spec +++ b/SPECS/kernel-mos/kernel-mos.spec @@ -18,7 +18,7 @@ %define config_source %{SOURCE1} Summary: Linux Kernel for MOS Name: kernel-mos -Version: 5.15.145.2 +Version: 5.15.148.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -377,6 +377,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Wed Jan 31 2024 Gary Swalling - 5.15.148.1-1 +- Update to 5.15.148.1 + * Tue Jan 16 2024 Gary Swalling - 5.15.145.2-1 - Update to 5.15.145.2 diff --git a/SPECS/kernel/CVE-2022-48619.nopatch b/SPECS/kernel/CVE-2022-48619.nopatch new file mode 100644 index 00000000000..e98b8f47624 --- /dev/null +++ b/SPECS/kernel/CVE-2022-48619.nopatch @@ -0,0 +1,3 @@ +CVE-2022-48619 - patched in 5.15.42.1 - (generated by autopatch tool) +upstream 409353cbe9fe48f6bc196114c442b1cff05a39bc - stable 0211383109832103cfddfd5c5cc99b29d40bb749 + diff --git a/SPECS/kernel/CVE-2023-46343.nopatch b/SPECS/kernel/CVE-2023-46343.nopatch new file mode 100644 index 00000000000..74804732bba --- /dev/null +++ b/SPECS/kernel/CVE-2023-46343.nopatch @@ -0,0 +1,3 @@ +CVE-2023-46343 - patched in 5.15.137.1 - (generated by autopatch tool) +upstream 7937609cd387246aed994e81aa4fa951358fba41 - stable ffdc881f68073ff86bf21afb9bb954812e8278be + diff --git a/SPECS/kernel/CVE-2023-46862.nopatch b/SPECS/kernel/CVE-2023-46862.nopatch new file mode 100644 index 00000000000..a0b4ccecde7 --- /dev/null +++ b/SPECS/kernel/CVE-2023-46862.nopatch @@ -0,0 +1,3 @@ +CVE-2023-46862 - patched in 5.15.140.1 - (generated by autopatch tool) +upstream 7644b1a1c9a7ae8ab99175989bfc8676055edb46 - stable 3d7912710e5e187217313fea5c145881cfeaf952 + diff --git a/SPECS/kernel/CVE-2023-51042.nopatch b/SPECS/kernel/CVE-2023-51042.nopatch new file mode 100644 index 00000000000..09f0805deee --- /dev/null +++ b/SPECS/kernel/CVE-2023-51042.nopatch @@ -0,0 +1,3 @@ +CVE-2023-51042 - patched in 5.15.128.1 - (generated by autopatch tool) +upstream 2e54154b9f27262efd0cb4f903cc7d5ad1fe9628 - stable ef568da1fd843581e855c79a368209b752dea2c1 + diff --git a/SPECS/kernel/CVE-2023-51043.nopatch b/SPECS/kernel/CVE-2023-51043.nopatch new file mode 100644 index 00000000000..4660a11b22b --- /dev/null +++ b/SPECS/kernel/CVE-2023-51043.nopatch @@ -0,0 +1,3 @@ +CVE-2023-51043 - patched in 5.15.121.1 - (generated by autopatch tool) +upstream 4e076c73e4f6e90816b30fcd4a0d7ab365087255 - stable 30580f3a3301173b1413a7b6d6ea100ec8c75da0 + diff --git a/SPECS/kernel/CVE-2023-51780.nopatch b/SPECS/kernel/CVE-2023-51780.nopatch new file mode 100644 index 00000000000..b951da76dd8 --- /dev/null +++ b/SPECS/kernel/CVE-2023-51780.nopatch @@ -0,0 +1,3 @@ +CVE-2023-51780 - patched in 5.15.144.1 - (generated by autopatch tool) +upstream 24e90b9e34f9e039f56b5f25f6e6eb92cdd8f4b3 - stable 3bb41dc361bfd938041a1d17a3768aa788a36a3c + diff --git a/SPECS/kernel/CVE-2023-51781.nopatch b/SPECS/kernel/CVE-2023-51781.nopatch new file mode 100644 index 00000000000..05f4f8c4c91 --- /dev/null +++ b/SPECS/kernel/CVE-2023-51781.nopatch @@ -0,0 +1,3 @@ +CVE-2023-51781 - patched in 5.15.144.1 - (generated by autopatch tool) +upstream 189ff16722ee36ced4d2a2469d4ab65a8fee4198 - stable 5b87ac25e8cfeb2d3d27574cdc077b09e8ceca82 + diff --git a/SPECS/kernel/CVE-2023-51782.nopatch b/SPECS/kernel/CVE-2023-51782.nopatch new file mode 100644 index 00000000000..4cfaa2a7fcf --- /dev/null +++ b/SPECS/kernel/CVE-2023-51782.nopatch @@ -0,0 +1,3 @@ +CVE-2023-51782 - patched in 5.15.144.1 - (generated by autopatch tool) +upstream 810c38a369a0a0ce625b5c12169abce1dd9ccd53 - stable 3f1f6a94d8858706863fe90da35663f6e24be274 + diff --git a/SPECS/kernel/CVE-2023-6546.nopatch b/SPECS/kernel/CVE-2023-6546.nopatch new file mode 100644 index 00000000000..44bf865eb51 --- /dev/null +++ b/SPECS/kernel/CVE-2023-6546.nopatch @@ -0,0 +1,3 @@ +CVE-2023-6546 - patched in 5.15.128.1 - (generated by autopatch tool) +upstream 3c4f8333b582487a2d1e02171f1465531cde53e3 - stable 2a523446438376bb7c224f3169ae9b98ce0fb893 + diff --git a/SPECS/kernel/CVE-2023-6622.nopatch b/SPECS/kernel/CVE-2023-6622.nopatch new file mode 100644 index 00000000000..81f06c20322 --- /dev/null +++ b/SPECS/kernel/CVE-2023-6622.nopatch @@ -0,0 +1,3 @@ +CVE-2023-6622 - patched in 5.15.143.1 - (generated by autopatch tool) +upstream 3701cd390fd731ee7ae8b8006246c8db82c72bea - stable cf5f113c41eb2c7dbe19d849a0883f7a429fa54b + diff --git a/SPECS/kernel/CVE-2023-6817.nopatch b/SPECS/kernel/CVE-2023-6817.nopatch new file mode 100644 index 00000000000..63905f7cf06 --- /dev/null +++ b/SPECS/kernel/CVE-2023-6817.nopatch @@ -0,0 +1,3 @@ +CVE-2023-6817 - patched in 5.15.143 +Upstream: 317eb9685095678f2c9f5a8189de698c5354316a +Stable: e65128616faa101b336e52fefbd62b83bb309916 diff --git a/SPECS/kernel/CVE-2023-6931.nopatch b/SPECS/kernel/CVE-2023-6931.nopatch new file mode 100644 index 00000000000..0417342ad24 --- /dev/null +++ b/SPECS/kernel/CVE-2023-6931.nopatch @@ -0,0 +1,3 @@ +CVE-2023-6931 - patched in 5.15.143 +Upstream: 382c27f4ed28f803b1f1473ac2d8db0afc795a1b +Stable: ebc7597ce9719d2ff72e13df072680aa491f27fb diff --git a/SPECS/kernel/CVE-2023-6932.nopatch b/SPECS/kernel/CVE-2023-6932.nopatch new file mode 100644 index 00000000000..76cbb19f110 --- /dev/null +++ b/SPECS/kernel/CVE-2023-6932.nopatch @@ -0,0 +1,3 @@ +CVE-2023-6932 - patched in 5.15.142.1 +Upstream: e2b706c691905fe78468c361aaabc719d0a496f1 +Stable: c4a00c47a140c39a0497a40b0f54cf4586a2b1d7 diff --git a/SPECS/kernel/CVE-2023-7192.nopatch b/SPECS/kernel/CVE-2023-7192.nopatch new file mode 100644 index 00000000000..51128bce0b1 --- /dev/null +++ b/SPECS/kernel/CVE-2023-7192.nopatch @@ -0,0 +1,3 @@ +CVE-2023-7192 - patched in 5.15.100.1 - (generated by autopatch tool) +upstream ac4893980bbe79ce383daf9a0885666a30fe4c83 - stable af41b3cd9a9245f482b8855bd3c62c6f04ae68ab + diff --git a/SPECS/kernel/CVE-2024-0607.nopatch b/SPECS/kernel/CVE-2024-0607.nopatch new file mode 100644 index 00000000000..7b382246bce --- /dev/null +++ b/SPECS/kernel/CVE-2024-0607.nopatch @@ -0,0 +1,3 @@ +CVE-2024-0607 - patched in 5.15.140.1 - (generated by autopatch tool) +upstream c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 - stable b8b514b2a6cdfac24911e4910461bcb9db15ca8d + diff --git a/SPECS/kernel/CVE-2024-0639.nopatch b/SPECS/kernel/CVE-2024-0639.nopatch new file mode 100644 index 00000000000..5332d85c87b --- /dev/null +++ b/SPECS/kernel/CVE-2024-0639.nopatch @@ -0,0 +1,3 @@ +CVE-2024-0639 - patched in 5.15.121.1 - (generated by autopatch tool) +upstream 6feb37b3b06e9049e20dcf7e23998f92c9c5be9a - stable 1fba2510b52f0bb9f408700e78db6d8d0ed6bcd5 + diff --git a/SPECS/kernel/CVE-2024-0641.nopatch b/SPECS/kernel/CVE-2024-0641.nopatch new file mode 100644 index 00000000000..975d8fafb19 --- /dev/null +++ b/SPECS/kernel/CVE-2024-0641.nopatch @@ -0,0 +1,3 @@ +CVE-2024-0641 - patched in 5.15.135.1 - (generated by autopatch tool) +upstream 08e50cf071847323414df0835109b6f3560d44f5 - stable 24fb22bddb71c6bfbe0fe25e1b7f793c5b580918 + diff --git a/SPECS/kernel/CVE-2024-22705.nopatch b/SPECS/kernel/CVE-2024-22705.nopatch new file mode 100644 index 00000000000..9eb8a48e90e --- /dev/null +++ b/SPECS/kernel/CVE-2024-22705.nopatch @@ -0,0 +1,3 @@ +CVE-2024-22705 - patched in 5.15.146.1 - (generated by autopatch tool) +upstream d10c77873ba1e9e6b91905018e29e196fd5f863d - stable d739f2b6d8f57aa9377362cd8c0b1152a4dd6bd5 + diff --git a/SPECS/kernel/config b/SPECS/kernel/config index 4a416c25ef9..5917b508c23 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.145.2 Kernel Configuration +# Linux/x86_64 5.15.148.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y @@ -423,7 +423,7 @@ CONFIG_PERF_EVENTS_AMD_UNCORE=y # end of Performance monitoring # CONFIG_X86_VSYSCALL_EMULATION is not set -# CONFIG_X86_IOPL_IOPERM is not set +CONFIG_X86_IOPL_IOPERM=y # CONFIG_I8K is not set CONFIG_MICROCODE=y CONFIG_MICROCODE_INTEL=y diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index 86abb2653fd..31c59a811bc 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.15.145.2 Kernel Configuration +# Linux/arm64 5.15.148.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y @@ -5134,8 +5134,6 @@ CONFIG_AMLOGIC_THERMAL=y CONFIG_BCM_SR_THERMAL=y # end of Broadcom thermal drivers -# CONFIG_TI_SOC_THERMAL is not set - # # NVIDIA Tegra thermal drivers # @@ -7399,10 +7397,8 @@ CONFIG_MMC_BCM2835=m CONFIG_MMC_MTK=m CONFIG_MMC_SDHCI_BRCMSTB=m CONFIG_MMC_SDHCI_XENON=m -CONFIG_MMC_SDHCI_OMAP=m CONFIG_MMC_SDHCI_AM654=m # CONFIG_MMC_OWL is not set -CONFIG_MMC_SDHCI_EXTERNAL_DMA=y CONFIG_MEMSTICK=m # CONFIG_MEMSTICK_DEBUG is not set diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 4f63ef62dd6..13de1f1a8c1 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,9 +1,9 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "a36f5ee119e1a7f1c00ccb36f37346b0f1d86a34dba133c1e10053a3463d5225", - "config_aarch64": "2e9f491e416e74867c0ec50463847f8335b51934e71071d2e2977cc19bf99015", + "config": "280ab4bb65434dfe985c8e3d485b3112da6084529384173b19685e4f8c916da5", + "config_aarch64": "3546a62db64a7a0a0114c5f71511ce0d434eed967296907549ceb99fa94e5258", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-5.15.145.2.tar.gz": "5f09cdfe9d04b035d98d5aa5b22dd03e3cd6350ace51dab5c3ceea9283da7b0a" + "kernel-5.15.148.1.tar.gz": "e77c297fe3e3f0d9fd403c52f1e959389fa33e6642be9ddd12d4ea7f8927e5d6" } } diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 29daa403464..50d3ad71b48 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -27,7 +27,7 @@ Summary: Linux Kernel Name: kernel -Version: 5.15.145.2 +Version: 5.15.148.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -426,6 +426,18 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Tue Jan 30 2024 CBL-Mariner Servicing Account - 5.15.148.1-1 +- Auto-upgrade to 5.15.148.1 + +* Thu Jan 25 2024 CBL-Mariner Servicing Account - 5.15.147.1-1 +- Auto-upgrade to 5.15.147.1 + +* Thu Jan 18 2024 Rachel Menge - 5.15.145.2-3 +- Enable CONFIG_X86_IOPL_IOPERM + +* Wed Jan 17 2024 Pawel Winogrodzki - 5.15.145.2-2 +- Bump release to match kernel-headers. + * Tue Jan 16 2024 Gary Swalling - 5.15.145.2-1 - Update to 5.15.145.2 diff --git a/SPECS/kube-vip-cloud-provider/CVE-2022-21698.patch b/SPECS/kube-vip-cloud-provider/CVE-2022-21698.patch new file mode 100644 index 00000000000..d182f16619a --- /dev/null +++ b/SPECS/kube-vip-cloud-provider/CVE-2022-21698.patch @@ -0,0 +1,364 @@ +From 253029f7ffbade99588df59a8b89a35d99197fe0 Mon Sep 17 00:00:00 2001 +From: Tobias Brick +Date: Tue, 18 Jan 2022 10:19:28 +0100 +Subject: [PATCH] Port upstream patch + https://github.com/prometheus/client_golang/commit/9075cdf61646b5adf54d3ba77a0e4f6c65cb4fd7 + +Differences: +- Removed tests +- Removed some comments that don't merge +- Line numbers and such + +Based on: + +From 9075cdf61646b5adf54d3ba77a0e4f6c65cb4fd7 Mon Sep 17 00:00:00 2001 +From: Kemal Akkoyun +Date: Tue, 18 Jan 2022 10:19:28 +0100 +Subject: [PATCH] promhttp: Check validity of method and code label values + (#962) + +* Check validity of method and code label values + +Signed-off-by: Kemal Akkoyun + +* Use more flexibly functional option pattern for configuration + +Signed-off-by: Kemal Akkoyun + +* Update documentation + +Signed-off-by: Kemal Akkoyun + +* Simplify + +Signed-off-by: Kemal Akkoyun + +* Fix inconsistent method naming + +Signed-off-by: Kemal Akkoyun +--- + prometheus/promhttp/instrument_client.go | 28 ++++++-- + prometheus/promhttp/instrument_server.go | 82 ++++++++++++++++++------ + prometheus/promhttp/option.go | 31 +++++++++ + 3 files changed, 116 insertions(+), 25 deletions(-) + create mode 100644 prometheus/promhttp/option.go + +diff --git a/prometheus/promhttp/instrument_client.go b/prometheus/promhttp/instrument_client.go +index 83c49b6..861b4d2 100644 +--- a/prometheus/promhttp/instrument_client.go ++++ b/prometheus/promhttp/instrument_client.go +@@ -49,7 +49,10 @@ func InstrumentRoundTripperInFlight(gauge prometheus.Gauge, next http.RoundTripp + // http.RoundTripper to observe the request result with the provided CounterVec. + // The CounterVec must have zero, one, or two non-const non-curried labels. For + // those, the only allowed label names are "code" and "method". The function +-// panics otherwise. Partitioning of the CounterVec happens by HTTP status code ++// panics otherwise. For the "method" label a predefined default label value set ++// is used to filter given values. Values besides predefined values will count ++// as `unknown` method.`WithExtraMethods` can be used to add more ++// methods to the set. Partitioning of the CounterVec happens by HTTP status code + // and/or HTTP method if the respective instance label names are present in the + // CounterVec. For unpartitioned counting, use a CounterVec with zero labels. + // +@@ -57,13 +60,18 @@ func InstrumentRoundTripperInFlight(gauge prometheus.Gauge, next http.RoundTripp + // is not incremented. + // + // See the example for ExampleInstrumentRoundTripperDuration for example usage. +-func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.RoundTripper) RoundTripperFunc { ++func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.RoundTripper, opts ...Option) RoundTripperFunc { ++ rtOpts := &option{} ++ for _, o := range opts { ++ o(rtOpts) ++ } ++ + code, method := checkLabels(counter) + + return RoundTripperFunc(func(r *http.Request) (*http.Response, error) { + resp, err := next.RoundTrip(r) + if err == nil { +- counter.With(labels(code, method, r.Method, resp.StatusCode)).Inc() ++ counter.With(labels(code, method, r.Method, resp.StatusCode, rtOpts.extraMethods...)).Inc() + } + return resp, err + }) +@@ -73,7 +81,10 @@ func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.Rou + // http.RoundTripper to observe the request duration with the provided + // ObserverVec. The ObserverVec must have zero, one, or two non-const + // non-curried labels. For those, the only allowed label names are "code" and +-// "method". The function panics otherwise. The Observe method of the Observer ++// "method". The function panics otherwise. For the "method" label a predefined ++// default label value set is used to filter given values. Values besides ++// predefined values will count as `unknown` method. `WithExtraMethods` ++// can be used to add more methods to the set. The Observe method of the Observer + // in the ObserverVec is called with the request duration in + // seconds. Partitioning happens by HTTP status code and/or HTTP method if the + // respective instance label names are present in the ObserverVec. For +@@ -85,14 +96,19 @@ func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.Rou + // + // Note that this method is only guaranteed to never observe negative durations + // if used with Go1.9+. +-func InstrumentRoundTripperDuration(obs prometheus.ObserverVec, next http.RoundTripper) RoundTripperFunc { ++func InstrumentRoundTripperDuration(obs prometheus.ObserverVec, next http.RoundTripper, opts ...Option) RoundTripperFunc { ++ rtOpts := &option{} ++ for _, o := range opts { ++ o(rtOpts) ++ } ++ + code, method := checkLabels(obs) + + return RoundTripperFunc(func(r *http.Request) (*http.Response, error) { + start := time.Now() + resp, err := next.RoundTrip(r) + if err == nil { +- obs.With(labels(code, method, r.Method, resp.StatusCode)).Observe(time.Since(start).Seconds()) ++ obs.With(labels(code, method, r.Method, resp.StatusCode, rtOpts.extraMethods...)).Observe(time.Since(start).Seconds()) + } + return resp, err + }) +diff --git a/prometheus/promhttp/instrument_server.go b/prometheus/promhttp/instrument_server.go +index 9db2438..91802f8 100644 +--- a/prometheus/promhttp/instrument_server.go ++++ b/prometheus/promhttp/instrument_server.go +@@ -58,7 +58,12 @@ func InstrumentHandlerInFlight(g prometheus.Gauge, next http.Handler) http.Handl + // + // Note that this method is only guaranteed to never observe negative durations + // if used with Go1.9+. +-func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { ++func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(obs) + + if code { +@@ -67,14 +72,14 @@ func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) ht + d := newDelegator(w, nil) + next.ServeHTTP(d, r) + +- obs.With(labels(code, method, r.Method, d.Status())).Observe(time.Since(now).Seconds()) ++ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) + }) + } + + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + now := time.Now() + next.ServeHTTP(w, r) +- obs.With(labels(code, method, r.Method, 0)).Observe(time.Since(now).Seconds()) ++ obs.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) + }) + } + +@@ -91,20 +96,25 @@ func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) ht + // If the wrapped Handler panics, the Counter is not incremented. + // + // See the example for InstrumentHandlerDuration for example usage. +-func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler) http.HandlerFunc { ++func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler, opts ...Option) http.HandlerFunc { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(counter) + + if code { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + d := newDelegator(w, nil) + next.ServeHTTP(d, r) +- counter.With(labels(code, method, r.Method, d.Status())).Inc() ++ counter.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Inc() + }) + } + + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + next.ServeHTTP(w, r) +- counter.With(labels(code, method, r.Method, 0)).Inc() ++ counter.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Inc() + }) + } + +@@ -126,13 +136,18 @@ func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler) + // if used with Go1.9+. + // + // See the example for InstrumentHandlerDuration for example usage. +-func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { ++func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(obs) + + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + now := time.Now() + d := newDelegator(w, func(status int) { +- obs.With(labels(code, method, r.Method, status)).Observe(time.Since(now).Seconds()) ++ obs.With(labels(code, method, r.Method, status, mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) + }) + next.ServeHTTP(d, r) + }) +@@ -154,7 +169,12 @@ func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Ha + // If the wrapped Handler panics, no values are reported. + // + // See the example for InstrumentHandlerDuration for example usage. +-func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { ++func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(obs) + + if code { +@@ -162,14 +182,14 @@ func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) + d := newDelegator(w, nil) + next.ServeHTTP(d, r) + size := computeApproximateRequestSize(r) +- obs.With(labels(code, method, r.Method, d.Status())).Observe(float64(size)) ++ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(float64(size)) + }) + } + + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + next.ServeHTTP(w, r) + size := computeApproximateRequestSize(r) +- obs.With(labels(code, method, r.Method, 0)).Observe(float64(size)) ++ obs.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Observe(float64(size)) + }) + } + +@@ -189,12 +209,18 @@ func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) + // If the wrapped Handler panics, no values are reported. + // + // See the example for InstrumentHandlerDuration for example usage. +-func InstrumentHandlerResponseSize(obs prometheus.ObserverVec, next http.Handler) http.Handler { ++func InstrumentHandlerResponseSize(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.Handler { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(obs) ++ + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + d := newDelegator(w, nil) + next.ServeHTTP(d, r) +- obs.With(labels(code, method, r.Method, d.Status())).Observe(float64(d.Written())) ++ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(float64(d.Written())) + }) + } + +@@ -279,7 +305,7 @@ func isLabelCurried(c prometheus.Collector, label string) bool { + // unnecessary allocations on each request. + var emptyLabels = prometheus.Labels{} + +-func labels(code, method bool, reqMethod string, status int) prometheus.Labels { ++func labels(code, method bool, reqMethod string, status int, extraMethods ...string) prometheus.Labels { + if !(code || method) { + return emptyLabels + } +@@ -289,7 +315,7 @@ func labels(code, method bool, reqMethod string, status int) prometheus.Labels { + labels["code"] = sanitizeCode(status) + } + if method { +- labels["method"] = sanitizeMethod(reqMethod) ++ labels["method"] = sanitizeMethod(reqMethod, extraMethods...) + } + + return labels +@@ -319,7 +345,12 @@ func computeApproximateRequestSize(r *http.Request) int { + return s + } + +-func sanitizeMethod(m string) string { ++// If the wrapped http.Handler has a known method, it will be sanitized and returned. ++// Otherwise, "unknown" will be returned. The known method list can be extended ++// as needed by using extraMethods parameter. ++func sanitizeMethod(m string, extraMethods ...string) string { ++ // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods for ++ // the methods chosen as default. + switch m { + case "GET", "get": + return "get" +@@ -337,15 +368,25 @@ func sanitizeMethod(m string) string { + return "options" + case "NOTIFY", "notify": + return "notify" ++ case "TRACE", "trace": ++ return "trace" ++ case "PATCH", "patch": ++ return "patch" + default: +- return strings.ToLower(m) ++ for _, method := range extraMethods { ++ if strings.EqualFold(m, method) { ++ return strings.ToLower(m) ++ } ++ } ++ return "unknown" + } + } + + // If the wrapped http.Handler has not set a status code, i.e. the value is +-// currently 0, santizeCode will return 200, for consistency with behavior in ++// currently 0, sanitizeCode will return 200, for consistency with behavior in + // the stdlib. + func sanitizeCode(s int) string { ++ // See for accepted codes https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml + switch s { + case 100: + return "100" +@@ -442,6 +483,9 @@ func sanitizeCode(s int) string { + return "511" + + default: +- return strconv.Itoa(s) ++ if s >= 100 && s <= 599 { ++ return strconv.Itoa(s) ++ } ++ return "unknown" + } + } +diff --git a/prometheus/promhttp/option.go b/prometheus/promhttp/option.go +new file mode 100644 +index 0000000..35e41bd +--- /dev/null ++++ b/prometheus/promhttp/option.go +@@ -0,0 +1,31 @@ ++// Copyright 2022 The Prometheus Authors ++// Licensed under the Apache License, Version 2.0 (the "License"); ++// you may not use this file except in compliance with the License. ++// You may obtain a copy of the License at ++// ++// http://www.apache.org/licenses/LICENSE-2.0 ++// ++// Unless required by applicable law or agreed to in writing, software ++// distributed under the License is distributed on an "AS IS" BASIS, ++// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++// See the License for the specific language governing permissions and ++// limitations under the License. ++ ++package promhttp ++ ++// Option are used to configure a middleware or round tripper.. ++type Option func(*option) ++ ++type option struct { ++ extraMethods []string ++} ++ ++// WithExtraMethods adds additional HTTP methods to the list of allowed methods. ++// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods for the default list. ++// ++// See the example for ExampleInstrumentHandlerWithExtraMethods for example usage. ++func WithExtraMethods(methods ...string) Option { ++ return func(o *option) { ++ o.extraMethods = methods ++ } ++} +-- +2.33.8 + diff --git a/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec b/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec index b1769da2738..00c758675da 100644 --- a/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec +++ b/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec @@ -1,7 +1,7 @@ Summary: The Kube-Vip cloud provider functions as a general-purpose cloud provider for on-premises bare-metal or virtualized setups Name: kube-vip-cloud-provider Version: 0.0.2 -Release: 13%{?dist} +Release: 14%{?dist} License: ASL 2.0 URL: https://github.com/kube-vip/kube-vip-cloud-provider Group: Applications/Text @@ -21,15 +21,16 @@ Source0: https://github.com/kube-vip/%{name}/archive/refs/tags/v%{version # 5. tar -cf %%{name}-%%{version}-vendor.tar.gz vendor Source1: %{name}-%{version}-vendor.tar.gz - +Patch0: CVE-2022-21698.patch BuildRequires: golang %description The Kube-Vip cloud provider functions as a general-purpose cloud provider for on-premises bare-metal or virtualized setups. %prep -%setup -q +%autosetup -N tar -xvf %{SOURCE1} +%patch 0 -p1 -d vendor/github.com/prometheus/client_golang %build go build -mod=vendor @@ -42,6 +43,9 @@ install kube-vip-cloud-provider %{buildroot}%{_bindir}/kube-vip-cloud-provider %{_bindir}/kube-vip-cloud-provider %changelog +* Tue Jan 31 2024 Tobias Brick - 0.0.2-14 +- Fix CVE-2022-21698 + * Mon Oct 16 2023 CBL-Mariner Servicing Account - 0.0.2-13 - Bump release to rebuild with go 1.20.9 diff --git a/SPECS/libdwarf/libdwarf.spec b/SPECS/libdwarf/libdwarf.spec index cd94161cf28..8edd1e8f7c8 100644 --- a/SPECS/libdwarf/libdwarf.spec +++ b/SPECS/libdwarf/libdwarf.spec @@ -1,6 +1,7 @@ Name: libdwarf +Epoch: 1 Version: 0.9.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Library to access the DWARF Debugging file format License: LGPL-2.1-only AND BSD-2-Clause-FreeBSD @@ -11,6 +12,7 @@ Source0: https://www.prevanders.net/%{name}-%{version}.tar.xz Patch0: libdwarf_skip_test.patch BuildRequires: gcc make python3 +Provides: %{name} = %{version}-%{release} %description Library to access the DWARF debugging file format which supports @@ -21,6 +23,7 @@ and Fortran. Please see http://www.dwarfstd.org for DWARF specification. Summary: Library and header files of libdwarf License: LGPL-2.1-only AND BSD-2-Clause-FreeBSD Requires: %{name} = %{version}-%{release} +Provides: %{name}-devel = %{version}-%{release} %description devel Development package containing library and header files of libdwarf. @@ -89,6 +92,9 @@ TZ=:America/Los_Angeles %__make check %changelog +* Fri Jan 19 2024 Sindhu Karri - 1:0.9.0-2 +- Add Epoch to fix version ordering as date versioning had changed to normal versioning + * Tue Jan 02 2024 Sindhu Karri - 0.9.0-1 - Upgraded to 0.9.0 - License verified diff --git a/SPECS/libgit2/libgit2.spec b/SPECS/libgit2/libgit2.spec index 4952c2a72f4..dfa75f2c56a 100644 --- a/SPECS/libgit2/libgit2.spec +++ b/SPECS/libgit2/libgit2.spec @@ -1,7 +1,7 @@ Summary: C implementation of the Git core methods as a library with a solid API Name: libgit2 Version: 1.4.5 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2 with exceptions Vendor: Microsoft Corporation Distribution: Mariner @@ -76,6 +76,9 @@ rm -vr deps %{_includedir}/git2/ %changelog +* Wed Jan 17 2024 Harshit Gupta - 1.4.5-3 +- Release bump with no changes to force a rebuild and consume new libssh2 build + * Tue Mar 14 2023 Nicolas Guibourge - 1.4.5-2 - promote to core spec diff --git a/SPECS/libssh2/CVE-2023-48795.patch b/SPECS/libssh2/CVE-2023-48795.patch new file mode 100644 index 00000000000..d437c545632 --- /dev/null +++ b/SPECS/libssh2/CVE-2023-48795.patch @@ -0,0 +1,451 @@ +Backporting the following commit in libssh2 upstream to 1.9.0 + +From d34d9258b8420b19ec3f97b4cc5bf7aa7d98e35a Mon Sep 17 00:00:00 2001 +From: Michael Buckley +Date: Thu, 30 Nov 2023 15:08:02 -0800 +Subject: [PATCH] src: add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack" + +Refs: +https://terrapin-attack.com/ +https://seclists.org/oss-sec/2023/q4/292 +https://osv.dev/list?ecosystem=&q=CVE-2023-48795 +https://github.com/advisories/GHSA-45x7-px36-x8w8 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795 + +diff --git a/src/kex.c b/src/kex.c +index cb16639..c2675f2 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -3315,6 +3315,13 @@ kex_method_ssh_curve25519_sha256 = { + }; + #endif + ++static const LIBSSH2_KEX_METHOD ++kex_method_strict_client_extension = { ++ "kex-strict-c-v00@openssh.com", ++ NULL, ++ 0, ++}; ++ + static const LIBSSH2_KEX_METHOD *libssh2_kex_methods[] = { + #if LIBSSH2_ECDSA + &kex_method_ecdh_sha2_nistp256, +@@ -3329,6 +3336,7 @@ static const LIBSSH2_KEX_METHOD *libssh2_kex_methods[] = { + &kex_method_diffie_helman_group_exchange_sha1, + &kex_method_diffie_helman_group14_sha1, + &kex_method_diffie_helman_group1_sha1, ++ &kex_method_strict_client_extension, + NULL + }; + +@@ -3563,12 +3571,12 @@ static int kexinit(LIBSSH2_SESSION * session) + return 0; + } + +-/* kex_agree_instr ++/* _libssh2_kex_agree_instr + * Kex specific variant of strstr() + * Needle must be precede by BOL or ',', and followed by ',' or EOL + */ +-static unsigned char * +-kex_agree_instr(unsigned char *haystack, unsigned long haystack_len, ++unsigned char * ++_libssh2_kex_agree_instr(unsigned char *haystack, unsigned long haystack_len, + const unsigned char *needle, unsigned long needle_len) + { + unsigned char *s; +@@ -3637,7 +3645,7 @@ static int kex_agree_hostkey(LIBSSH2_SESSION * session, + while(s && *s) { + unsigned char *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); +- if(kex_agree_instr(hostkey, hostkey_len, s, method_len)) { ++ if(_libssh2_kex_agree_instr(hostkey, hostkey_len, s, method_len)) { + const LIBSSH2_HOSTKEY_METHOD *method = + (const LIBSSH2_HOSTKEY_METHOD *) + kex_get_method_by_name((char *) s, method_len, +@@ -3671,9 +3679,9 @@ static int kex_agree_hostkey(LIBSSH2_SESSION * session, + } + + while(hostkeyp && (*hostkeyp) && (*hostkeyp)->name) { +- s = kex_agree_instr(hostkey, hostkey_len, +- (unsigned char *) (*hostkeyp)->name, +- strlen((*hostkeyp)->name)); ++ s = _libssh2_kex_agree_instr(hostkey, hostkey_len, ++ (unsigned char *) (*hostkeyp)->name, ++ strlen((*hostkeyp)->name)); + if(s) { + /* So far so good, but does it suit our purposes? (Encrypting vs + Signing) */ +@@ -3707,6 +3715,12 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex, + { + const LIBSSH2_KEX_METHOD **kexp = libssh2_kex_methods; + unsigned char *s; ++ const unsigned char *strict = ++ (unsigned char *)"kex-strict-s-v00@openssh.com"; ++ ++ if(_libssh2_kex_agree_instr(kex, kex_len, strict, 28)) { ++ session->kex_strict = 1; ++ } + + if(session->kex_prefs) { + s = (unsigned char *) session->kex_prefs; +@@ -3714,7 +3728,7 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex, + while(s && *s) { + unsigned char *q, *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); +- q = kex_agree_instr(kex, kex_len, s, method_len); ++ q = _libssh2_kex_agree_instr(kex, kex_len, s, method_len); + if(q) { + const LIBSSH2_KEX_METHOD *method = (const LIBSSH2_KEX_METHOD *) + kex_get_method_by_name((char *) s, method_len, +@@ -3748,9 +3762,9 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex, + } + + while(*kexp && (*kexp)->name) { +- s = kex_agree_instr(kex, kex_len, +- (unsigned char *) (*kexp)->name, +- strlen((*kexp)->name)); ++ s = _libssh2_kex_agree_instr(kex, kex_len, ++ (unsigned char *) (*kexp)->name, ++ strlen((*kexp)->name)); + if(s) { + /* We've agreed on a key exchange method, + * Can we agree on a hostkey that works with this kex? +@@ -3794,7 +3808,7 @@ static int kex_agree_crypt(LIBSSH2_SESSION * session, + unsigned char *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); + +- if(kex_agree_instr(crypt, crypt_len, s, method_len)) { ++ if(_libssh2_kex_agree_instr(crypt, crypt_len, s, method_len)) { + const LIBSSH2_CRYPT_METHOD *method = + (const LIBSSH2_CRYPT_METHOD *) + kex_get_method_by_name((char *) s, method_len, +@@ -3816,9 +3830,9 @@ static int kex_agree_crypt(LIBSSH2_SESSION * session, + } + + while(*cryptp && (*cryptp)->name) { +- s = kex_agree_instr(crypt, crypt_len, +- (unsigned char *) (*cryptp)->name, +- strlen((*cryptp)->name)); ++ s = _libssh2_kex_agree_instr(crypt, crypt_len, ++ (unsigned char *) (*cryptp)->name, ++ strlen((*cryptp)->name)); + if(s) { + endpoint->crypt = *cryptp; + return 0; +@@ -3849,7 +3863,7 @@ static int kex_agree_mac(LIBSSH2_SESSION * session, + unsigned char *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); + +- if(kex_agree_instr(mac, mac_len, s, method_len)) { ++ if(_libssh2_kex_agree_instr(mac, mac_len, s, method_len)) { + const LIBSSH2_MAC_METHOD *method = (const LIBSSH2_MAC_METHOD *) + kex_get_method_by_name((char *) s, method_len, + (const LIBSSH2_COMMON_METHOD **) +@@ -3870,8 +3884,9 @@ static int kex_agree_mac(LIBSSH2_SESSION * session, + } + + while(*macp && (*macp)->name) { +- s = kex_agree_instr(mac, mac_len, (unsigned char *) (*macp)->name, +- strlen((*macp)->name)); ++ s = _libssh2_kex_agree_instr(mac, mac_len, ++ (unsigned char *) (*macp)->name, ++ strlen((*macp)->name)); + if(s) { + endpoint->mac = *macp; + return 0; +@@ -3902,7 +3917,7 @@ static int kex_agree_comp(LIBSSH2_SESSION *session, + unsigned char *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); + +- if(kex_agree_instr(comp, comp_len, s, method_len)) { ++ if(_libssh2_kex_agree_instr(comp, comp_len, s, method_len)) { + const LIBSSH2_COMP_METHOD *method = + (const LIBSSH2_COMP_METHOD *) + kex_get_method_by_name((char *) s, method_len, +@@ -3924,8 +3939,9 @@ static int kex_agree_comp(LIBSSH2_SESSION *session, + } + + while(*compp && (*compp)->name) { +- s = kex_agree_instr(comp, comp_len, (unsigned char *) (*compp)->name, +- strlen((*compp)->name)); ++ s = _libssh2_kex_agree_instr(comp, comp_len, ++ (unsigned char *) (*compp)->name, ++ strlen((*compp)->name)); + if(s) { + endpoint->comp = *compp; + return 0; +@@ -4114,6 +4130,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange, + session->local.kexinit = key_state->oldlocal; + session->local.kexinit_len = key_state->oldlocal_len; + key_state->state = libssh2_NB_state_idle; ++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX; + session->state &= ~LIBSSH2_STATE_KEX_ACTIVE; + session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS; + return -1; +@@ -4139,6 +4156,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange, + session->local.kexinit = key_state->oldlocal; + session->local.kexinit_len = key_state->oldlocal_len; + key_state->state = libssh2_NB_state_idle; ++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX; + session->state &= ~LIBSSH2_STATE_KEX_ACTIVE; + session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS; + return -1; +@@ -4187,6 +4205,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange, + session->remote.kexinit = NULL; + } + ++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX; + session->state &= ~LIBSSH2_STATE_KEX_ACTIVE; + session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS; + +diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h +index 33c5ad3..2106786 100644 +--- a/src/libssh2_priv.h ++++ b/src/libssh2_priv.h +@@ -629,6 +629,9 @@ struct _LIBSSH2_SESSION + unsigned char server_hostkey_sha256[SHA256_DIGEST_LENGTH]; + int server_hostkey_sha256_valid; + ++ /* Whether to use the OpenSSH Strict KEX extension */ ++ int kex_strict; ++ + /* (remote as source of data -- packet_read ) */ + libssh2_endpoint_data remote; + +@@ -798,6 +801,7 @@ struct _LIBSSH2_SESSION + int fullpacket_macstate; + size_t fullpacket_payload_len; + int fullpacket_packet_type; ++ uint32_t fullpacket_required_type; + + /* State variables used in libssh2_sftp_init() */ + libssh2_nonblocking_states sftpInit_state; +@@ -845,10 +849,11 @@ struct _LIBSSH2_SESSION + }; + + /* session.state bits */ +-#define LIBSSH2_STATE_EXCHANGING_KEYS 0x00000001 +-#define LIBSSH2_STATE_NEWKEYS 0x00000002 +-#define LIBSSH2_STATE_AUTHENTICATED 0x00000004 +-#define LIBSSH2_STATE_KEX_ACTIVE 0x00000008 ++#define LIBSSH2_STATE_INITIAL_KEX 0x00000001 ++#define LIBSSH2_STATE_EXCHANGING_KEYS 0x00000002 ++#define LIBSSH2_STATE_NEWKEYS 0x00000004 ++#define LIBSSH2_STATE_AUTHENTICATED 0x00000008 ++#define LIBSSH2_STATE_KEX_ACTIVE 0x00000010 + + /* session.flag helpers */ + #ifdef MSG_NOSIGNAL +@@ -1065,6 +1070,11 @@ ssize_t _libssh2_send(libssh2_socket_t socket, const void *buffer, + int _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange, + key_exchange_state_t * state); + ++unsigned char *_libssh2_kex_agree_instr(unsigned char *haystack, ++ size_t haystack_len, ++ const unsigned char *needle, ++ size_t needle_len); ++ + /* Let crypt.c/hostkey.c expose their method structs */ + const LIBSSH2_CRYPT_METHOD **libssh2_crypt_methods(void); + const LIBSSH2_HOSTKEY_METHOD **libssh2_hostkey_methods(void); +diff --git a/src/packet.c b/src/packet.c +index 4f9971a..0a05ffe 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -409,14 +409,13 @@ packet_x11_open(LIBSSH2_SESSION * session, unsigned char *data, + * layer when it has received a packet. + * + * The input pointer 'data' is pointing to allocated data that this function +- * is asked to deal with so on failure OR success, it must be freed fine. +- * The only exception is when the return code is LIBSSH2_ERROR_EAGAIN. ++ * will be freed unless return the code is LIBSSH2_ERROR_EAGAIN. + * + * This function will always be called with 'datalen' greater than zero. + */ + int + _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, +- size_t datalen, int macstate) ++ size_t datalen, int macstate, uint32_t seq) + { + int rc = 0; + unsigned char *message = NULL; +@@ -459,6 +458,70 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + break; + } + ++ if(session->state & LIBSSH2_STATE_INITIAL_KEX) { ++ if(msg == SSH_MSG_KEXINIT) { ++ if(!session->kex_strict) { ++ if(datalen < 17) { ++ LIBSSH2_FREE(session, data); ++ session->packAdd_state = libssh2_NB_state_idle; ++ return _libssh2_error(session, ++ LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Data too short extracting kex"); ++ } ++ else { ++ const unsigned char *strict = ++ (unsigned char *)"kex-strict-s-v00@openssh.com"; ++ struct string_buf buf; ++ unsigned char *algs = NULL; ++ size_t algs_len = 0; ++ ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr += 17; /* advance past type and cookie */ ++ ++ if(_libssh2_get_string(&buf, &algs, &algs_len)) { ++ LIBSSH2_FREE(session, data); ++ session->packAdd_state = libssh2_NB_state_idle; ++ return _libssh2_error(session, ++ LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Algs too short"); ++ } ++ ++ if(algs_len == 0 || ++ _libssh2_kex_agree_instr(algs, algs_len, strict, 28)) { ++ session->kex_strict = 1; ++ } ++ } ++ } ++ ++ if(session->kex_strict && seq) { ++ LIBSSH2_FREE(session, data); ++ session->socket_state = LIBSSH2_SOCKET_DISCONNECTED; ++ session->packAdd_state = libssh2_NB_state_idle; ++ libssh2_session_disconnect(session, "strict KEX violation: " ++ "KEXINIT was not the first packet"); ++ ++ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT, ++ "strict KEX violation: " ++ "KEXINIT was not the first packet"); ++ } ++ } ++ ++ if(session->kex_strict && session->fullpacket_required_type && ++ session->fullpacket_required_type != msg) { ++ LIBSSH2_FREE(session, data); ++ session->socket_state = LIBSSH2_SOCKET_DISCONNECTED; ++ session->packAdd_state = libssh2_NB_state_idle; ++ libssh2_session_disconnect(session, "strict KEX violation: " ++ "unexpected packet type"); ++ ++ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT, ++ "strict KEX violation: " ++ "unexpected packet type"); ++ } ++ } ++ + if(session->packAdd_state == libssh2_NB_state_allocated) { + /* A couple exceptions to the packet adding rule: */ + switch(msg) { +@@ -1060,6 +1123,15 @@ _libssh2_packet_ask(LIBSSH2_SESSION * session, unsigned char packet_type, + + return 0; + } ++ else if(session->kex_strict && ++ (session->state & LIBSSH2_STATE_INITIAL_KEX)) { ++ libssh2_session_disconnect(session, "strict KEX violation: " ++ "unexpected packet type"); ++ ++ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT, ++ "strict KEX violation: " ++ "unexpected packet type"); ++ } + packet = _libssh2_list_next(&packet->node); + } + return -1; +@@ -1121,7 +1193,10 @@ _libssh2_packet_require(LIBSSH2_SESSION * session, unsigned char packet_type, + } + + while(session->socket_state == LIBSSH2_SOCKET_CONNECTED) { +- int ret = _libssh2_transport_read(session); ++ int ret; ++ session->fullpacket_required_type = packet_type; ++ ret = _libssh2_transport_read(session); ++ session->fullpacket_required_type = 0; + if(ret == LIBSSH2_ERROR_EAGAIN) + return ret; + else if(ret < 0) { +diff --git a/src/packet.h b/src/packet.h +index d66b15b..8ff231c 100644 +--- a/src/packet.h ++++ b/src/packet.h +@@ -71,6 +71,6 @@ int _libssh2_packet_burn(LIBSSH2_SESSION * session, + int _libssh2_packet_write(LIBSSH2_SESSION * session, unsigned char *data, + unsigned long data_len); + int _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, +- size_t datalen, int macstate); ++ size_t datalen, int macstate, uint32_t seq); + + #endif /* LIBSSH2_PACKET_H */ +diff --git a/src/session.c b/src/session.c +index e439acd..d40fde8 100644 +--- a/src/session.c ++++ b/src/session.c +@@ -500,6 +500,8 @@ libssh2_session_init_ex(LIBSSH2_ALLOC_FUNC((*my_alloc)), + session->abstract = abstract; + session->api_timeout = 0; /* timeout-free API by default */ + session->api_block_mode = 1; /* blocking API by default */ ++ session->state = LIBSSH2_STATE_INITIAL_KEX; ++ session->fullpacket_required_type = 0; + _libssh2_debug(session, LIBSSH2_TRACE_TRANS, + "New session resource allocated"); + _libssh2_init_if_needed(); +@@ -1171,6 +1173,7 @@ libssh2_session_disconnect_ex(LIBSSH2_SESSION *session, int reason, + const char *desc, const char *lang) + { + int rc; ++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX; + session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS; + BLOCK_ADJUST(rc, session, + session_disconnect(session, reason, desc, lang)); +diff --git a/src/transport.c b/src/transport.c +index ad11a5a..1cf8b29 100644 +--- a/src/transport.c ++++ b/src/transport.c +@@ -168,6 +168,7 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ ) + struct transportpacket *p = &session->packet; + int rc; + int compressed; ++ uint32_t seq = session->remote.seqno; + + if(session->fullpacket_state == libssh2_NB_state_idle) { + session->fullpacket_macstate = LIBSSH2_MAC_CONFIRMED; +@@ -240,7 +241,7 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ ) + if(session->fullpacket_state == libssh2_NB_state_created) { + rc = _libssh2_packet_add(session, p->payload, + session->fullpacket_payload_len, +- session->fullpacket_macstate); ++ session->fullpacket_macstate, seq); + if(rc == LIBSSH2_ERROR_EAGAIN) + return rc; + if(rc) { +@@ -251,6 +252,11 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ ) + + session->fullpacket_state = libssh2_NB_state_idle; + ++ if(session->kex_strict && ++ session->fullpacket_packet_type == SSH_MSG_NEWKEYS) { ++ session->remote.seqno = 0; ++ } ++ + return session->fullpacket_packet_type; + } + +@@ -885,8 +891,13 @@ int _libssh2_transport_send(LIBSSH2_SESSION *session, + + session->local.seqno++; + ++ if(session->kex_strict && data[0] == SSH_MSG_NEWKEYS) { ++ session->local.seqno = 0; ++ } ++ + ret = LIBSSH2_SEND(session, p->outbuf, total_length, + LIBSSH2_SOCKET_SEND_FLAGS(session)); ++ + if(ret < 0) + _libssh2_debug(session, LIBSSH2_TRACE_SOCKET, + "Error sending %d bytes: %d", total_length, -ret); diff --git a/SPECS/libssh2/libssh2.spec b/SPECS/libssh2/libssh2.spec index bafe304dae3..4e2567acb17 100644 --- a/SPECS/libssh2/libssh2.spec +++ b/SPECS/libssh2/libssh2.spec @@ -3,7 +3,7 @@ Summary: libssh2 is a library implementing the SSH2 protocol. Name: libssh2 Version: 1.9.0 -Release: 3%{?dist} +Release: 4%{?dist} License: BSD URL: https://www.libssh2.org/ Group: System Environment/NetworkingLibraries @@ -12,6 +12,7 @@ Distribution: Mariner Source0: https://www.libssh2.org/download/libssh2-%{version}.tar.gz Patch0: CVE-2019-17498.patch Patch1: CVE-2020-22218.patch +Patch2: CVE-2023-48795.patch BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -59,6 +60,9 @@ find %{buildroot} -name '*.la' -exec rm -f {} ';' %{_mandir}/man3/* %changelog +* Wed Jan 17 2024 Harshit Gupta - 1.9.0-4 +- Add patch for CVE-2023-48795 + * Wed Sep 13 2023 Suresh Thelkar - 1.9.0-3 - Add patch for CVE-2020-22218 diff --git a/SPECS/libvirt/libvirt.spec b/SPECS/libvirt/libvirt.spec index 3c9f3608ccf..bf0eba9cee4 100644 --- a/SPECS/libvirt/libvirt.spec +++ b/SPECS/libvirt/libvirt.spec @@ -9,7 +9,7 @@ Summary: Virtualization API library that supports KVM, QEMU, Xen, ESX etc Name: libvirt Version: 7.10.0 -Release: 5%{?dist} +Release: 6%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -1055,6 +1055,9 @@ exit 0 %{_libdir}/libnss_libvirt_guest.so.2 %changelog +* Wed Jan 17 2024 Harshit Gupta - 7.10.0-6 +- Release bump with no changes to force a rebuild and consume new libssh2 build + * Wed May 25 2023 Sharath Srikanth Chellappa - 7.10.0-5 - Patch CVE-2023-2700 diff --git a/SPECS/local-path-provisioner/CVE-2022-21698.patch b/SPECS/local-path-provisioner/CVE-2022-21698.patch new file mode 100644 index 00000000000..d182f16619a --- /dev/null +++ b/SPECS/local-path-provisioner/CVE-2022-21698.patch @@ -0,0 +1,364 @@ +From 253029f7ffbade99588df59a8b89a35d99197fe0 Mon Sep 17 00:00:00 2001 +From: Tobias Brick +Date: Tue, 18 Jan 2022 10:19:28 +0100 +Subject: [PATCH] Port upstream patch + https://github.com/prometheus/client_golang/commit/9075cdf61646b5adf54d3ba77a0e4f6c65cb4fd7 + +Differences: +- Removed tests +- Removed some comments that don't merge +- Line numbers and such + +Based on: + +From 9075cdf61646b5adf54d3ba77a0e4f6c65cb4fd7 Mon Sep 17 00:00:00 2001 +From: Kemal Akkoyun +Date: Tue, 18 Jan 2022 10:19:28 +0100 +Subject: [PATCH] promhttp: Check validity of method and code label values + (#962) + +* Check validity of method and code label values + +Signed-off-by: Kemal Akkoyun + +* Use more flexibly functional option pattern for configuration + +Signed-off-by: Kemal Akkoyun + +* Update documentation + +Signed-off-by: Kemal Akkoyun + +* Simplify + +Signed-off-by: Kemal Akkoyun + +* Fix inconsistent method naming + +Signed-off-by: Kemal Akkoyun +--- + prometheus/promhttp/instrument_client.go | 28 ++++++-- + prometheus/promhttp/instrument_server.go | 82 ++++++++++++++++++------ + prometheus/promhttp/option.go | 31 +++++++++ + 3 files changed, 116 insertions(+), 25 deletions(-) + create mode 100644 prometheus/promhttp/option.go + +diff --git a/prometheus/promhttp/instrument_client.go b/prometheus/promhttp/instrument_client.go +index 83c49b6..861b4d2 100644 +--- a/prometheus/promhttp/instrument_client.go ++++ b/prometheus/promhttp/instrument_client.go +@@ -49,7 +49,10 @@ func InstrumentRoundTripperInFlight(gauge prometheus.Gauge, next http.RoundTripp + // http.RoundTripper to observe the request result with the provided CounterVec. + // The CounterVec must have zero, one, or two non-const non-curried labels. For + // those, the only allowed label names are "code" and "method". The function +-// panics otherwise. Partitioning of the CounterVec happens by HTTP status code ++// panics otherwise. For the "method" label a predefined default label value set ++// is used to filter given values. Values besides predefined values will count ++// as `unknown` method.`WithExtraMethods` can be used to add more ++// methods to the set. Partitioning of the CounterVec happens by HTTP status code + // and/or HTTP method if the respective instance label names are present in the + // CounterVec. For unpartitioned counting, use a CounterVec with zero labels. + // +@@ -57,13 +60,18 @@ func InstrumentRoundTripperInFlight(gauge prometheus.Gauge, next http.RoundTripp + // is not incremented. + // + // See the example for ExampleInstrumentRoundTripperDuration for example usage. +-func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.RoundTripper) RoundTripperFunc { ++func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.RoundTripper, opts ...Option) RoundTripperFunc { ++ rtOpts := &option{} ++ for _, o := range opts { ++ o(rtOpts) ++ } ++ + code, method := checkLabels(counter) + + return RoundTripperFunc(func(r *http.Request) (*http.Response, error) { + resp, err := next.RoundTrip(r) + if err == nil { +- counter.With(labels(code, method, r.Method, resp.StatusCode)).Inc() ++ counter.With(labels(code, method, r.Method, resp.StatusCode, rtOpts.extraMethods...)).Inc() + } + return resp, err + }) +@@ -73,7 +81,10 @@ func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.Rou + // http.RoundTripper to observe the request duration with the provided + // ObserverVec. The ObserverVec must have zero, one, or two non-const + // non-curried labels. For those, the only allowed label names are "code" and +-// "method". The function panics otherwise. The Observe method of the Observer ++// "method". The function panics otherwise. For the "method" label a predefined ++// default label value set is used to filter given values. Values besides ++// predefined values will count as `unknown` method. `WithExtraMethods` ++// can be used to add more methods to the set. The Observe method of the Observer + // in the ObserverVec is called with the request duration in + // seconds. Partitioning happens by HTTP status code and/or HTTP method if the + // respective instance label names are present in the ObserverVec. For +@@ -85,14 +96,19 @@ func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.Rou + // + // Note that this method is only guaranteed to never observe negative durations + // if used with Go1.9+. +-func InstrumentRoundTripperDuration(obs prometheus.ObserverVec, next http.RoundTripper) RoundTripperFunc { ++func InstrumentRoundTripperDuration(obs prometheus.ObserverVec, next http.RoundTripper, opts ...Option) RoundTripperFunc { ++ rtOpts := &option{} ++ for _, o := range opts { ++ o(rtOpts) ++ } ++ + code, method := checkLabels(obs) + + return RoundTripperFunc(func(r *http.Request) (*http.Response, error) { + start := time.Now() + resp, err := next.RoundTrip(r) + if err == nil { +- obs.With(labels(code, method, r.Method, resp.StatusCode)).Observe(time.Since(start).Seconds()) ++ obs.With(labels(code, method, r.Method, resp.StatusCode, rtOpts.extraMethods...)).Observe(time.Since(start).Seconds()) + } + return resp, err + }) +diff --git a/prometheus/promhttp/instrument_server.go b/prometheus/promhttp/instrument_server.go +index 9db2438..91802f8 100644 +--- a/prometheus/promhttp/instrument_server.go ++++ b/prometheus/promhttp/instrument_server.go +@@ -58,7 +58,12 @@ func InstrumentHandlerInFlight(g prometheus.Gauge, next http.Handler) http.Handl + // + // Note that this method is only guaranteed to never observe negative durations + // if used with Go1.9+. +-func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { ++func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(obs) + + if code { +@@ -67,14 +72,14 @@ func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) ht + d := newDelegator(w, nil) + next.ServeHTTP(d, r) + +- obs.With(labels(code, method, r.Method, d.Status())).Observe(time.Since(now).Seconds()) ++ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) + }) + } + + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + now := time.Now() + next.ServeHTTP(w, r) +- obs.With(labels(code, method, r.Method, 0)).Observe(time.Since(now).Seconds()) ++ obs.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) + }) + } + +@@ -91,20 +96,25 @@ func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) ht + // If the wrapped Handler panics, the Counter is not incremented. + // + // See the example for InstrumentHandlerDuration for example usage. +-func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler) http.HandlerFunc { ++func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler, opts ...Option) http.HandlerFunc { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(counter) + + if code { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + d := newDelegator(w, nil) + next.ServeHTTP(d, r) +- counter.With(labels(code, method, r.Method, d.Status())).Inc() ++ counter.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Inc() + }) + } + + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + next.ServeHTTP(w, r) +- counter.With(labels(code, method, r.Method, 0)).Inc() ++ counter.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Inc() + }) + } + +@@ -126,13 +136,18 @@ func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler) + // if used with Go1.9+. + // + // See the example for InstrumentHandlerDuration for example usage. +-func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { ++func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(obs) + + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + now := time.Now() + d := newDelegator(w, func(status int) { +- obs.With(labels(code, method, r.Method, status)).Observe(time.Since(now).Seconds()) ++ obs.With(labels(code, method, r.Method, status, mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) + }) + next.ServeHTTP(d, r) + }) +@@ -154,7 +169,12 @@ func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Ha + // If the wrapped Handler panics, no values are reported. + // + // See the example for InstrumentHandlerDuration for example usage. +-func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { ++func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(obs) + + if code { +@@ -162,14 +182,14 @@ func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) + d := newDelegator(w, nil) + next.ServeHTTP(d, r) + size := computeApproximateRequestSize(r) +- obs.With(labels(code, method, r.Method, d.Status())).Observe(float64(size)) ++ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(float64(size)) + }) + } + + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + next.ServeHTTP(w, r) + size := computeApproximateRequestSize(r) +- obs.With(labels(code, method, r.Method, 0)).Observe(float64(size)) ++ obs.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Observe(float64(size)) + }) + } + +@@ -189,12 +209,18 @@ func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) + // If the wrapped Handler panics, no values are reported. + // + // See the example for InstrumentHandlerDuration for example usage. +-func InstrumentHandlerResponseSize(obs prometheus.ObserverVec, next http.Handler) http.Handler { ++func InstrumentHandlerResponseSize(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.Handler { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(obs) ++ + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + d := newDelegator(w, nil) + next.ServeHTTP(d, r) +- obs.With(labels(code, method, r.Method, d.Status())).Observe(float64(d.Written())) ++ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(float64(d.Written())) + }) + } + +@@ -279,7 +305,7 @@ func isLabelCurried(c prometheus.Collector, label string) bool { + // unnecessary allocations on each request. + var emptyLabels = prometheus.Labels{} + +-func labels(code, method bool, reqMethod string, status int) prometheus.Labels { ++func labels(code, method bool, reqMethod string, status int, extraMethods ...string) prometheus.Labels { + if !(code || method) { + return emptyLabels + } +@@ -289,7 +315,7 @@ func labels(code, method bool, reqMethod string, status int) prometheus.Labels { + labels["code"] = sanitizeCode(status) + } + if method { +- labels["method"] = sanitizeMethod(reqMethod) ++ labels["method"] = sanitizeMethod(reqMethod, extraMethods...) + } + + return labels +@@ -319,7 +345,12 @@ func computeApproximateRequestSize(r *http.Request) int { + return s + } + +-func sanitizeMethod(m string) string { ++// If the wrapped http.Handler has a known method, it will be sanitized and returned. ++// Otherwise, "unknown" will be returned. The known method list can be extended ++// as needed by using extraMethods parameter. ++func sanitizeMethod(m string, extraMethods ...string) string { ++ // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods for ++ // the methods chosen as default. + switch m { + case "GET", "get": + return "get" +@@ -337,15 +368,25 @@ func sanitizeMethod(m string) string { + return "options" + case "NOTIFY", "notify": + return "notify" ++ case "TRACE", "trace": ++ return "trace" ++ case "PATCH", "patch": ++ return "patch" + default: +- return strings.ToLower(m) ++ for _, method := range extraMethods { ++ if strings.EqualFold(m, method) { ++ return strings.ToLower(m) ++ } ++ } ++ return "unknown" + } + } + + // If the wrapped http.Handler has not set a status code, i.e. the value is +-// currently 0, santizeCode will return 200, for consistency with behavior in ++// currently 0, sanitizeCode will return 200, for consistency with behavior in + // the stdlib. + func sanitizeCode(s int) string { ++ // See for accepted codes https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml + switch s { + case 100: + return "100" +@@ -442,6 +483,9 @@ func sanitizeCode(s int) string { + return "511" + + default: +- return strconv.Itoa(s) ++ if s >= 100 && s <= 599 { ++ return strconv.Itoa(s) ++ } ++ return "unknown" + } + } +diff --git a/prometheus/promhttp/option.go b/prometheus/promhttp/option.go +new file mode 100644 +index 0000000..35e41bd +--- /dev/null ++++ b/prometheus/promhttp/option.go +@@ -0,0 +1,31 @@ ++// Copyright 2022 The Prometheus Authors ++// Licensed under the Apache License, Version 2.0 (the "License"); ++// you may not use this file except in compliance with the License. ++// You may obtain a copy of the License at ++// ++// http://www.apache.org/licenses/LICENSE-2.0 ++// ++// Unless required by applicable law or agreed to in writing, software ++// distributed under the License is distributed on an "AS IS" BASIS, ++// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++// See the License for the specific language governing permissions and ++// limitations under the License. ++ ++package promhttp ++ ++// Option are used to configure a middleware or round tripper.. ++type Option func(*option) ++ ++type option struct { ++ extraMethods []string ++} ++ ++// WithExtraMethods adds additional HTTP methods to the list of allowed methods. ++// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods for the default list. ++// ++// See the example for ExampleInstrumentHandlerWithExtraMethods for example usage. ++func WithExtraMethods(methods ...string) Option { ++ return func(o *option) { ++ o.extraMethods = methods ++ } ++} +-- +2.33.8 + diff --git a/SPECS/local-path-provisioner/local-path-provisioner.spec b/SPECS/local-path-provisioner/local-path-provisioner.spec index a106b0a32b5..8b59d743caf 100644 --- a/SPECS/local-path-provisioner/local-path-provisioner.spec +++ b/SPECS/local-path-provisioner/local-path-provisioner.spec @@ -1,7 +1,7 @@ Summary: Provides a way for the Kubernetes users to utilize the local storage in each node Name: local-path-provisioner Version: 0.0.21 -Release: 13%{?dist} +Release: 14%{?dist} License: ASL 2.0 URL: https://github.com/rancher/local-path-provisioner Group: Applications/Text @@ -9,6 +9,8 @@ Vendor: Microsoft Distribution: Mariner Source0: https://github.com/rancher/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz #Note that the source file should be renamed to the format {name}-%{version}.tar.gz +# Fixed in upstream 0.0.24, so we can remove this patch when we upgrade to that version +Patch0: CVE-2022-21698.patch BuildRequires: golang @@ -17,6 +19,7 @@ Provides a way for the Kubernetes users to utilize the local storage in each nod %prep %setup -q +%patch 0 -p1 -d vendor/github.com/prometheus/client_golang %build export CGO_ENABLED=0 @@ -30,6 +33,9 @@ install local-path-provisioner %{buildroot}%{_bindir}/local-path-provisioner %{_bindir}/local-path-provisioner %changelog +* Wed Jan 31 2024 Tobias Brick - 0.0.21-14 +- Fix CVE-2022-21698 + * Mon Oct 16 2023 CBL-Mariner Servicing Account - 0.0.21-13 - Bump release to rebuild with go 1.20.9 diff --git a/SPECS/mariadb/fix_symlink_location_db_install.patch b/SPECS/mariadb/fix_symlink_location_db_install.patch new file mode 100644 index 00000000000..a6ee4bfd03b --- /dev/null +++ b/SPECS/mariadb/fix_symlink_location_db_install.patch @@ -0,0 +1,13 @@ +diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt +index 9eec793c9fb..1b0f6bfb680 100644 +--- a/scripts/CMakeLists.txt ++++ b/scripts/CMakeLists.txt +@@ -223,7 +223,7 @@ IF(UNIX AND NOT WITHOUT_SERVER) + DESTINATION ${INSTALL_SCRIPTDIR} + COMPONENT Server) + +- INSTALL_LINK(mariadb-install-db mysql_install_db ${INSTALL_SCRIPTDIR} Server) ++ INSTALL_LINK(mariadb-install-db mysql_install_db ${INSTALL_BINDIR} Server) + ENDIF() + + SET(prefix "${CMAKE_INSTALL_PREFIX}") diff --git a/SPECS/mariadb/mariadb.spec b/SPECS/mariadb/mariadb.spec index e0ce59a2c5a..b9e33d5fcb8 100644 --- a/SPECS/mariadb/mariadb.spec +++ b/SPECS/mariadb/mariadb.spec @@ -1,7 +1,7 @@ Summary: Database servers made by the original developers of MySQL. Name: mariadb Version: 10.6.9 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 WITH exceptions AND LGPLv2 AND BSD Vendor: Microsoft Corporation Distribution: Mariner @@ -12,6 +12,7 @@ Group: Applications/Databases URL: https://mariadb.org/ Source0: https://github.com/MariaDB/server/archive/mariadb-%{version}.tar.gz Patch0: CVE-2022-47015.patch +Patch1: fix_symlink_location_db_install.patch BuildRequires: cmake BuildRequires: curl-devel BuildRequires: e2fsprogs-devel @@ -68,6 +69,7 @@ errmsg for maridb %prep %autosetup -p1 + # Remove PerconaFT from here because of AGPL licence rm -rf storage/tokudb/PerconaFT # Disable "embedded" directory which only contains "test-connect" test @@ -154,7 +156,7 @@ fi %post server /sbin/ldconfig chown mysql:mysql %{_sharedstatedir}/mysql || : -mysql_install_db --datadir="%{_sharedstatedir}/mysql" --user="mysql" --basedir="%{_prefix}" >/dev/null || : +mariadb-install-db --datadir="%{_sharedstatedir}/mysql" --user="mysql" --basedir="%{_prefix}" >/dev/null || : %systemd_post mariadb.service %postun server @@ -211,6 +213,7 @@ fi %{_bindir}/msql2mysql %{_bindir}/mysql %{_bindir}/mysql_find_rows +%{_bindir}/mysql_install_db %{_bindir}/mysql_plugin %{_bindir}/mysql_waitpid %{_bindir}/mysqlaccess @@ -295,7 +298,7 @@ fi %{_bindir}/myisamchk %{_bindir}/myisamlog %{_bindir}/myisampack -%{_bindir}/mysql_install_db +%{_bindir}/mariadb-install-db %{_bindir}/mysql_secure_installation %{_bindir}/mysql_tzinfo_to_sql %{_bindir}/mysqld_safe @@ -462,6 +465,9 @@ fi %{_datadir}/mysql/hindi/errmsg.sys %changelog +* Thu Jan 18 2024 Andy Zaugg - 10.6.9-6 +- Fix post scripts for rpm install, missing setup(mysql_install_db) script. + * Wed Sep 20 2023 Jon Slobodzian - 10.6.9-5 - Recompile with stack-protection fixed gcc version (CVE-2023-4039) diff --git a/SPECS/mariner-release/mariner-release.spec b/SPECS/mariner-release/mariner-release.spec index 0d29c2cc3f2..92ead0b6c39 100644 --- a/SPECS/mariner-release/mariner-release.spec +++ b/SPECS/mariner-release/mariner-release.spec @@ -1,7 +1,7 @@ Summary: CBL-Mariner release files Name: mariner-release Version: 2.0 -Release: 58%{?dist} +Release: 59%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -62,6 +62,9 @@ EOF %config(noreplace) %{_sysconfdir}/issue.net %changelog +* Thu Feb 01 2024 CBL-Mariner Servicing Account - 2.0-59 +- Bump release for February 2024 Release + * Tue Jan 23 2024 CBL-Mariner Servicing Account - 2.0-58 - Bump release for January 2024 Update 3 diff --git a/SPECS/moby-buildx/CVE-2022-21698.patch b/SPECS/moby-buildx/CVE-2022-21698.patch new file mode 100644 index 00000000000..d703e4b707e --- /dev/null +++ b/SPECS/moby-buildx/CVE-2022-21698.patch @@ -0,0 +1,428 @@ +From f74cc87520fb81bb034cb2731ee5609d830499d6 Mon Sep 17 00:00:00 2001 +From: Tobias Brick +Date: Tue, 15 Feb 2022 11:38:19 +0100 +Subject: [PATCH] Port upstream patch + https://github.com/prometheus/client_golang/commit/9075cdf61646b5adf54d3ba77a0e4f6c65cb4fd7 + +Differences: +- Removed tests + +Based On: + +From 989baa30fe956631907493ccee1f8e7708660d96 Mon Sep 17 00:00:00 2001 +From: Bartlomiej Plotka +Date: Tue, 15 Feb 2022 11:38:19 +0100 +Subject: [PATCH] promhttp: Check validity of method and code label values + (#962) (#987) + +* Check validity of method and code label values + +Signed-off-by: Kemal Akkoyun + +* Use more flexibly functional option pattern for configuration + +Signed-off-by: Kemal Akkoyun + +* Update documentation + +Signed-off-by: Kemal Akkoyun + +* Simplify + +Signed-off-by: Kemal Akkoyun + +* Fix inconsistent method naming + +Signed-off-by: Kemal Akkoyun + +Co-authored-by: Kemal Akkoyun +--- + prometheus/promhttp/instrument_client.go | 28 ++++-- + prometheus/promhttp/instrument_server.go | 111 +++++++++++++++++------ + prometheus/promhttp/option.go | 31 +++++++ + 3 files changed, 138 insertions(+), 32 deletions(-) + create mode 100644 prometheus/promhttp/option.go + +diff --git a/prometheus/promhttp/instrument_client.go b/prometheus/promhttp/instrument_client.go +index 83c49b6..861b4d2 100644 +--- a/prometheus/promhttp/instrument_client.go ++++ b/prometheus/promhttp/instrument_client.go +@@ -49,7 +49,10 @@ func InstrumentRoundTripperInFlight(gauge prometheus.Gauge, next http.RoundTripp + // http.RoundTripper to observe the request result with the provided CounterVec. + // The CounterVec must have zero, one, or two non-const non-curried labels. For + // those, the only allowed label names are "code" and "method". The function +-// panics otherwise. Partitioning of the CounterVec happens by HTTP status code ++// panics otherwise. For the "method" label a predefined default label value set ++// is used to filter given values. Values besides predefined values will count ++// as `unknown` method.`WithExtraMethods` can be used to add more ++// methods to the set. Partitioning of the CounterVec happens by HTTP status code + // and/or HTTP method if the respective instance label names are present in the + // CounterVec. For unpartitioned counting, use a CounterVec with zero labels. + // +@@ -57,13 +60,18 @@ func InstrumentRoundTripperInFlight(gauge prometheus.Gauge, next http.RoundTripp + // is not incremented. + // + // See the example for ExampleInstrumentRoundTripperDuration for example usage. +-func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.RoundTripper) RoundTripperFunc { ++func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.RoundTripper, opts ...Option) RoundTripperFunc { ++ rtOpts := &option{} ++ for _, o := range opts { ++ o(rtOpts) ++ } ++ + code, method := checkLabels(counter) + + return RoundTripperFunc(func(r *http.Request) (*http.Response, error) { + resp, err := next.RoundTrip(r) + if err == nil { +- counter.With(labels(code, method, r.Method, resp.StatusCode)).Inc() ++ counter.With(labels(code, method, r.Method, resp.StatusCode, rtOpts.extraMethods...)).Inc() + } + return resp, err + }) +@@ -73,7 +81,10 @@ func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.Rou + // http.RoundTripper to observe the request duration with the provided + // ObserverVec. The ObserverVec must have zero, one, or two non-const + // non-curried labels. For those, the only allowed label names are "code" and +-// "method". The function panics otherwise. The Observe method of the Observer ++// "method". The function panics otherwise. For the "method" label a predefined ++// default label value set is used to filter given values. Values besides ++// predefined values will count as `unknown` method. `WithExtraMethods` ++// can be used to add more methods to the set. The Observe method of the Observer + // in the ObserverVec is called with the request duration in + // seconds. Partitioning happens by HTTP status code and/or HTTP method if the + // respective instance label names are present in the ObserverVec. For +@@ -85,14 +96,19 @@ func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.Rou + // + // Note that this method is only guaranteed to never observe negative durations + // if used with Go1.9+. +-func InstrumentRoundTripperDuration(obs prometheus.ObserverVec, next http.RoundTripper) RoundTripperFunc { ++func InstrumentRoundTripperDuration(obs prometheus.ObserverVec, next http.RoundTripper, opts ...Option) RoundTripperFunc { ++ rtOpts := &option{} ++ for _, o := range opts { ++ o(rtOpts) ++ } ++ + code, method := checkLabels(obs) + + return RoundTripperFunc(func(r *http.Request) (*http.Response, error) { + start := time.Now() + resp, err := next.RoundTrip(r) + if err == nil { +- obs.With(labels(code, method, r.Method, resp.StatusCode)).Observe(time.Since(start).Seconds()) ++ obs.With(labels(code, method, r.Method, resp.StatusCode, rtOpts.extraMethods...)).Observe(time.Since(start).Seconds()) + } + return resp, err + }) +diff --git a/prometheus/promhttp/instrument_server.go b/prometheus/promhttp/instrument_server.go +index ab037db..a23f0ed 100644 +--- a/prometheus/promhttp/instrument_server.go ++++ b/prometheus/promhttp/instrument_server.go +@@ -45,7 +45,10 @@ func InstrumentHandlerInFlight(g prometheus.Gauge, next http.Handler) http.Handl + // http.Handler to observe the request duration with the provided ObserverVec. + // The ObserverVec must have valid metric and label names and must have zero, + // one, or two non-const non-curried labels. For those, the only allowed label +-// names are "code" and "method". The function panics otherwise. The Observe ++// names are "code" and "method". The function panics otherwise. For the "method" ++// label a predefined default label value set is used to filter given values. ++// Values besides predefined values will count as `unknown` method. ++//`WithExtraMethods` can be used to add more methods to the set. The Observe + // method of the Observer in the ObserverVec is called with the request duration + // in seconds. Partitioning happens by HTTP status code and/or HTTP method if + // the respective instance label names are present in the ObserverVec. For +@@ -58,7 +61,12 @@ func InstrumentHandlerInFlight(g prometheus.Gauge, next http.Handler) http.Handl + // + // Note that this method is only guaranteed to never observe negative durations + // if used with Go1.9+. +-func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { ++func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(obs) + + if code { +@@ -67,14 +75,14 @@ func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) ht + d := newDelegator(w, nil) + next.ServeHTTP(d, r) + +- obs.With(labels(code, method, r.Method, d.Status())).Observe(time.Since(now).Seconds()) ++ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) + }) + } + + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + now := time.Now() + next.ServeHTTP(w, r) +- obs.With(labels(code, method, r.Method, 0)).Observe(time.Since(now).Seconds()) ++ obs.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) + }) + } + +@@ -82,7 +90,10 @@ func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) ht + // to observe the request result with the provided CounterVec. The CounterVec + // must have valid metric and label names and must have zero, one, or two + // non-const non-curried labels. For those, the only allowed label names are +-// "code" and "method". The function panics otherwise. Partitioning of the ++// "code" and "method". The function panics otherwise. For the "method" ++// label a predefined default label value set is used to filter given values. ++// Values besides predefined values will count as `unknown` method. ++// `WithExtraMethods` can be used to add more methods to the set. Partitioning of the + // CounterVec happens by HTTP status code and/or HTTP method if the respective + // instance label names are present in the CounterVec. For unpartitioned + // counting, use a CounterVec with zero labels. +@@ -92,20 +103,25 @@ func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) ht + // If the wrapped Handler panics, the Counter is not incremented. + // + // See the example for InstrumentHandlerDuration for example usage. +-func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler) http.HandlerFunc { ++func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler, opts ...Option) http.HandlerFunc { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(counter) + + if code { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + d := newDelegator(w, nil) + next.ServeHTTP(d, r) +- counter.With(labels(code, method, r.Method, d.Status())).Inc() ++ counter.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Inc() + }) + } + + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + next.ServeHTTP(w, r) +- counter.With(labels(code, method, r.Method, 0)).Inc() ++ counter.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Inc() + }) + } + +@@ -114,7 +130,10 @@ func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler) + // until the response headers are written. The ObserverVec must have valid + // metric and label names and must have zero, one, or two non-const non-curried + // labels. For those, the only allowed label names are "code" and "method". The +-// function panics otherwise. The Observe method of the Observer in the ++// function panics otherwise. For the "method" label a predefined default label ++// value set is used to filter given values. Values besides predefined values ++// will count as `unknown` method.`WithExtraMethods` can be used to add more ++// methods to the set. The Observe method of the Observer in the + // ObserverVec is called with the request duration in seconds. Partitioning + // happens by HTTP status code and/or HTTP method if the respective instance + // label names are present in the ObserverVec. For unpartitioned observations, +@@ -128,13 +147,18 @@ func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler) + // if used with Go1.9+. + // + // See the example for InstrumentHandlerDuration for example usage. +-func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { ++func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(obs) + + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + now := time.Now() + d := newDelegator(w, func(status int) { +- obs.With(labels(code, method, r.Method, status)).Observe(time.Since(now).Seconds()) ++ obs.With(labels(code, method, r.Method, status, mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) + }) + next.ServeHTTP(d, r) + }) +@@ -144,8 +168,11 @@ func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Ha + // http.Handler to observe the request size with the provided ObserverVec. The + // ObserverVec must have valid metric and label names and must have zero, one, + // or two non-const non-curried labels. For those, the only allowed label names +-// are "code" and "method". The function panics otherwise. The Observe method of +-// the Observer in the ObserverVec is called with the request size in ++// are "code" and "method". The function panics otherwise. For the "method" ++// label a predefined default label value set is used to filter given values. ++// Values besides predefined values will count as `unknown` method. ++// `WithExtraMethods` can be used to add more methods to the set. The Observe ++// method of the Observer in the ObserverVec is called with the request size in + // bytes. Partitioning happens by HTTP status code and/or HTTP method if the + // respective instance label names are present in the ObserverVec. For + // unpartitioned observations, use an ObserverVec with zero labels. Note that +@@ -156,7 +183,12 @@ func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Ha + // If the wrapped Handler panics, no values are reported. + // + // See the example for InstrumentHandlerDuration for example usage. +-func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { ++func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(obs) + + if code { +@@ -164,14 +196,14 @@ func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) + d := newDelegator(w, nil) + next.ServeHTTP(d, r) + size := computeApproximateRequestSize(r) +- obs.With(labels(code, method, r.Method, d.Status())).Observe(float64(size)) ++ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(float64(size)) + }) + } + + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + next.ServeHTTP(w, r) + size := computeApproximateRequestSize(r) +- obs.With(labels(code, method, r.Method, 0)).Observe(float64(size)) ++ obs.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Observe(float64(size)) + }) + } + +@@ -179,8 +211,11 @@ func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) + // http.Handler to observe the response size with the provided ObserverVec. The + // ObserverVec must have valid metric and label names and must have zero, one, + // or two non-const non-curried labels. For those, the only allowed label names +-// are "code" and "method". The function panics otherwise. The Observe method of +-// the Observer in the ObserverVec is called with the response size in ++// are "code" and "method". The function panics otherwise. For the "method" ++// label a predefined default label value set is used to filter given values. ++// Values besides predefined values will count as `unknown` method. ++// `WithExtraMethods` can be used to add more methods to the set. The Observe ++// method of the Observer in the ObserverVec is called with the response size in + // bytes. Partitioning happens by HTTP status code and/or HTTP method if the + // respective instance label names are present in the ObserverVec. For + // unpartitioned observations, use an ObserverVec with zero labels. Note that +@@ -191,12 +226,18 @@ func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) + // If the wrapped Handler panics, no values are reported. + // + // See the example for InstrumentHandlerDuration for example usage. +-func InstrumentHandlerResponseSize(obs prometheus.ObserverVec, next http.Handler) http.Handler { ++func InstrumentHandlerResponseSize(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.Handler { ++ mwOpts := &option{} ++ for _, o := range opts { ++ o(mwOpts) ++ } ++ + code, method := checkLabels(obs) ++ + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + d := newDelegator(w, nil) + next.ServeHTTP(d, r) +- obs.With(labels(code, method, r.Method, d.Status())).Observe(float64(d.Written())) ++ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(float64(d.Written())) + }) + } + +@@ -290,7 +331,7 @@ func isLabelCurried(c prometheus.Collector, label string) bool { + // unnecessary allocations on each request. + var emptyLabels = prometheus.Labels{} + +-func labels(code, method bool, reqMethod string, status int) prometheus.Labels { ++func labels(code, method bool, reqMethod string, status int, extraMethods ...string) prometheus.Labels { + if !(code || method) { + return emptyLabels + } +@@ -300,7 +341,7 @@ func labels(code, method bool, reqMethod string, status int) prometheus.Labels { + labels["code"] = sanitizeCode(status) + } + if method { +- labels["method"] = sanitizeMethod(reqMethod) ++ labels["method"] = sanitizeMethod(reqMethod, extraMethods...) + } + + return labels +@@ -330,7 +371,12 @@ func computeApproximateRequestSize(r *http.Request) int { + return s + } + +-func sanitizeMethod(m string) string { ++// If the wrapped http.Handler has a known method, it will be sanitized and returned. ++// Otherwise, "unknown" will be returned. The known method list can be extended ++// as needed by using extraMethods parameter. ++func sanitizeMethod(m string, extraMethods ...string) string { ++ // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods for ++ // the methods chosen as default. + switch m { + case "GET", "get": + return "get" +@@ -348,15 +394,25 @@ func sanitizeMethod(m string) string { + return "options" + case "NOTIFY", "notify": + return "notify" ++ case "TRACE", "trace": ++ return "trace" ++ case "PATCH", "patch": ++ return "patch" + default: +- return strings.ToLower(m) ++ for _, method := range extraMethods { ++ if strings.EqualFold(m, method) { ++ return strings.ToLower(m) ++ } ++ } ++ return "unknown" + } + } + + // If the wrapped http.Handler has not set a status code, i.e. the value is +-// currently 0, santizeCode will return 200, for consistency with behavior in ++// currently 0, sanitizeCode will return 200, for consistency with behavior in + // the stdlib. + func sanitizeCode(s int) string { ++ // See for accepted codes https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml + switch s { + case 100: + return "100" +@@ -453,6 +509,9 @@ func sanitizeCode(s int) string { + return "511" + + default: +- return strconv.Itoa(s) ++ if s >= 100 && s <= 599 { ++ return strconv.Itoa(s) ++ } ++ return "unknown" + } + } +diff --git a/prometheus/promhttp/option.go b/prometheus/promhttp/option.go +new file mode 100644 +index 0000000..35e41bd +--- /dev/null ++++ b/prometheus/promhttp/option.go +@@ -0,0 +1,31 @@ ++// Copyright 2022 The Prometheus Authors ++// Licensed under the Apache License, Version 2.0 (the "License"); ++// you may not use this file except in compliance with the License. ++// You may obtain a copy of the License at ++// ++// http://www.apache.org/licenses/LICENSE-2.0 ++// ++// Unless required by applicable law or agreed to in writing, software ++// distributed under the License is distributed on an "AS IS" BASIS, ++// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++// See the License for the specific language governing permissions and ++// limitations under the License. ++ ++package promhttp ++ ++// Option are used to configure a middleware or round tripper.. ++type Option func(*option) ++ ++type option struct { ++ extraMethods []string ++} ++ ++// WithExtraMethods adds additional HTTP methods to the list of allowed methods. ++// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods for the default list. ++// ++// See the example for ExampleInstrumentHandlerWithExtraMethods for example usage. ++func WithExtraMethods(methods ...string) Option { ++ return func(o *option) { ++ o.extraMethods = methods ++ } ++} +-- +2.33.8 + diff --git a/SPECS/moby-buildx/moby-buildx.spec b/SPECS/moby-buildx/moby-buildx.spec index 82961c13a3e..105f7748887 100644 --- a/SPECS/moby-buildx/moby-buildx.spec +++ b/SPECS/moby-buildx/moby-buildx.spec @@ -5,13 +5,15 @@ Summary: A Docker CLI plugin for extended build capabilities with BuildKi Name: moby-%{upstream_name} # update "commit_hash" above when upgrading version Version: 0.7.1 -Release: 15%{?dist} +Release: 16%{?dist} License: ASL 2.0 Group: Tools/Container Vendor: Microsoft Corporation Distribution: Mariner URL: https://www.github.com/docker/buildx Source0: https://github.com/docker/buildx/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +# Fixed in upstream v0.8.0. Can remove when we upgrade to that version. +Patch0: CVE-2022-21698.patch BuildRequires: bash BuildRequires: golang >= 1.17 @@ -25,6 +27,7 @@ A Docker CLI plugin for extended build capabilities with BuildKit %prep %setup -q -n %{upstream_name}-%{version} +%patch 0 -p1 -d vendor/github.com/prometheus/client_golang %build export CGO_ENABLED=0 @@ -42,6 +45,9 @@ cp -aT buildx "%{buildroot}/%{_libexecdir}/docker/cli-plugins/docker-buildx" %{_libexecdir}/docker/cli-plugins/docker-buildx %changelog +* Thu Feb 01 2024 Tobias Brick - 0.7.1-16 +- Fix CVE-2022-21698 + * Mon Oct 16 2023 CBL-Mariner Servicing Account - 0.7.1-15 - Bump release to rebuild with go 1.20.9 diff --git a/SPECS/moby-runc/0001-cgroups-cpuset-fix-byte-order-while-parsing-cpuset-r.patch b/SPECS/moby-runc/0001-cgroups-cpuset-fix-byte-order-while-parsing-cpuset-r.patch deleted file mode 100644 index b15dbb6cd61..00000000000 --- a/SPECS/moby-runc/0001-cgroups-cpuset-fix-byte-order-while-parsing-cpuset-r.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 77cae9addc0c7c9ef52513b4e46b2e6485e4e469 Mon Sep 17 00:00:00 2001 -From: "Chengen, Du" -Date: Mon, 26 Sep 2022 14:28:18 +0800 -Subject: [PATCH] cgroups: cpuset: fix byte order while parsing cpuset range to - bits - -Runc parses cpuset range to bits in the case of cgroup v2 + systemd as cgroup driver. -The byte order representation differs from systemd expectation, which will set -different cpuset range in systemd transient unit if the length of parsed byte array exceeds one. - - # cat config.json - ... - "resources": { - ... - "cpu": { - "cpus": "10-23" - } - }, - ... - # runc --systemd-cgroup run test - # cat /run/systemd/transient/runc-test.scope.d/50-AllowedCPUs.conf - # This is a drop-in unit file extension, created via "systemctl set-property" - # or an equivalent operation. Do not edit. - [Scope] - AllowedCPUs=0-7 10-15 - -The cpuset.cpus in cgroup will also be set to wrong value after reloading systemd manager configuration. - - # systemctl daemon-reload - # cat /sys/fs/cgroup/system.slice/runc-test.scope/cpuset.cpus - 0-7,10-15 - -Signed-off-by: seyeongkim -Signed-off-by: Chengen, Du ---- - libcontainer/cgroups/systemd/cpuset.go | 5 +++++ - libcontainer/cgroups/systemd/cpuset_test.go | 6 +++--- - 2 files changed, 8 insertions(+), 3 deletions(-) - -diff --git a/libcontainer/cgroups/systemd/cpuset.go b/libcontainer/cgroups/systemd/cpuset.go -index 83d10dd7..dd474cf1 100644 ---- a/libcontainer/cgroups/systemd/cpuset.go -+++ b/libcontainer/cgroups/systemd/cpuset.go -@@ -51,5 +51,10 @@ func RangeToBits(str string) ([]byte, error) { - // do not allow empty values - return nil, errors.New("empty value") - } -+ -+ // fit cpuset parsing order in systemd -+ for l, r := 0, len(ret)-1; l < r; l, r = l+1, r-1 { -+ ret[l], ret[r] = ret[r], ret[l] -+ } - return ret, nil - } -diff --git a/libcontainer/cgroups/systemd/cpuset_test.go b/libcontainer/cgroups/systemd/cpuset_test.go -index 3030cba9..bda31a5b 100644 ---- a/libcontainer/cgroups/systemd/cpuset_test.go -+++ b/libcontainer/cgroups/systemd/cpuset_test.go -@@ -22,13 +22,13 @@ func TestRangeToBits(t *testing.T) { - {in: "4-7", out: []byte{0xf0}}, - {in: "0-7", out: []byte{0xff}}, - {in: "0-15", out: []byte{0xff, 0xff}}, -- {in: "16", out: []byte{1, 0, 0}}, -- {in: "0-3,32-33", out: []byte{3, 0, 0, 0, 0x0f}}, -+ {in: "16", out: []byte{0, 0, 1}}, -+ {in: "0-3,32-33", out: []byte{0x0f, 0, 0, 0, 3}}, - // extra spaces and tabs are ok - {in: "1, 2, 1-2", out: []byte{6}}, - {in: " , 1 , 3 , 5-7, ", out: []byte{0xea}}, - // somewhat large values -- {in: "128-130,1", out: []byte{7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2}}, -+ {in: "128-130,1", out: []byte{2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7}}, - - {in: "-", isErr: true}, - {in: "1-", isErr: true}, --- -2.25.1 - diff --git a/SPECS/moby-runc/CVE-2024-21626.patch b/SPECS/moby-runc/CVE-2024-21626.patch new file mode 100644 index 00000000000..495bbc9d85e --- /dev/null +++ b/SPECS/moby-runc/CVE-2024-21626.patch @@ -0,0 +1,291 @@ +From 7362cd5afe9d40131fb62cb075092025c7c71064 Mon Sep 17 00:00:00 2001 +From: "hang.jiang" +Date: Fri, 1 Sep 2023 16:17:13 +0800 +Subject: [runc v1.1.z PATCH 1/6] Fix File to Close + +(This is a cherry-pick of 937ca107c3d22da77eb8e8030f2342253b980980.) + +Signed-off-by: hang.jiang +Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626 +Signed-off-by: Aleksa Sarai +--- + libcontainer/cgroups/fs/paths.go | 1 + + update.go | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/libcontainer/cgroups/fs/paths.go b/libcontainer/cgroups/fs/paths.go +index 1092331b25d8..2cb970a3d55b 100644 +--- a/libcontainer/cgroups/fs/paths.go ++++ b/libcontainer/cgroups/fs/paths.go +@@ -83,6 +83,7 @@ func tryDefaultCgroupRoot() string { + if err != nil { + return "" + } ++ defer dir.Close() + names, err := dir.Readdirnames(1) + if err != nil { + return "" +diff --git a/update.go b/update.go +index 9ce5a2e835b2..6d582ddddecb 100644 +--- a/update.go ++++ b/update.go +@@ -174,6 +174,7 @@ other options are ignored. + if err != nil { + return err + } ++ defer f.Close() + } + err = json.NewDecoder(f).Decode(&r) + if err != nil { +-- +2.43.0 + +From 2ed79a6c91e56dcd2d1da47f8ffd663066153746 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Tue, 26 Dec 2023 23:53:07 +1100 +Subject: [runc v1.1.z PATCH 2/6] init: verify after chdir that cwd is inside + the container + +If a file descriptor of a directory in the host's mount namespace is +leaked to runc init, a malicious config.json could use /proc/self/fd/... +as a working directory to allow for host filesystem access after the +container runs. This can also be exploited by a container process if it +knows that an administrator will use "runc exec --cwd" and the target +--cwd (the attacker can change that cwd to be a symlink pointing to +/proc/self/fd/... and wait for the process to exec and then snoop on +/proc/$pid/cwd to get access to the host). The former issue can lead to +a critical vulnerability in Docker and Kubernetes, while the latter is a +container breakout. + +We can (ab)use the fact that getcwd(2) on Linux detects this exact case, +and getcwd(3) and Go's Getwd() return an error as a result. Thus, if we +just do os.Getwd() after chdir we can easily detect this case and error +out. + +In runc 1.1, a /sys/fs/cgroup handle happens to be leaked to "runc +init", making this exploitable. On runc main it just so happens that the +leaked /sys/fs/cgroup gets clobbered and thus this is only consistently +exploitable for runc 1.1. + +Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626 +Co-developed-by: lifubang +Signed-off-by: lifubang +[refactored the implementation and added more comments] +Signed-off-by: Aleksa Sarai +--- + libcontainer/init_linux.go | 31 ++++++++++++++++++++++++ + libcontainer/integration/seccomp_test.go | 20 +++++++-------- + 2 files changed, 41 insertions(+), 10 deletions(-) + +diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go +index 5b88c71fc83a..057b30669811 100644 +--- a/libcontainer/init_linux.go ++++ b/libcontainer/init_linux.go +@@ -8,6 +8,7 @@ import ( + "io" + "net" + "os" ++ "path/filepath" + "strings" + "unsafe" + +@@ -135,6 +136,32 @@ func populateProcessEnvironment(env []string) error { + return nil + } + ++// verifyCwd ensures that the current directory is actually inside the mount ++// namespace root of the current process. ++func verifyCwd() error { ++ // getcwd(2) on Linux detects if cwd is outside of the rootfs of the ++ // current mount namespace root, and in that case prefixes "(unreachable)" ++ // to the returned string. glibc's getcwd(3) and Go's Getwd() both detect ++ // when this happens and return ENOENT rather than returning a non-absolute ++ // path. In both cases we can therefore easily detect if we have an invalid ++ // cwd by checking the return value of getcwd(3). See getcwd(3) for more ++ // details, and CVE-2024-21626 for the security issue that motivated this ++ // check. ++ // ++ // We have to use unix.Getwd() here because os.Getwd() has a workaround for ++ // $PWD which involves doing stat(.), which can fail if the current ++ // directory is inaccessible to the container process. ++ if wd, err := unix.Getwd(); err == unix.ENOENT { ++ return errors.New("current working directory is outside of container mount namespace root -- possible container breakout detected") ++ } else if err != nil { ++ return fmt.Errorf("failed to verify if current working directory is safe: %w", err) ++ } else if !filepath.IsAbs(wd) { ++ // We shouldn't ever hit this, but check just in case. ++ return fmt.Errorf("current working directory is not absolute -- possible container breakout detected: cwd is %q", wd) ++ } ++ return nil ++} ++ + // finalizeNamespace drops the caps, sets the correct user + // and working dir, and closes any leaked file descriptors + // before executing the command inside the namespace +@@ -193,6 +220,10 @@ func finalizeNamespace(config *initConfig) error { + return fmt.Errorf("chdir to cwd (%q) set in config.json failed: %w", config.Cwd, err) + } + } ++ // Make sure our final working directory is inside the container. ++ if err := verifyCwd(); err != nil { ++ return err ++ } + if err := system.ClearKeepCaps(); err != nil { + return fmt.Errorf("unable to clear keep caps: %w", err) + } +diff --git a/libcontainer/integration/seccomp_test.go b/libcontainer/integration/seccomp_test.go +index 31092a0a5d21..ecdfa7957df1 100644 +--- a/libcontainer/integration/seccomp_test.go ++++ b/libcontainer/integration/seccomp_test.go +@@ -13,7 +13,7 @@ import ( + libseccomp "github.com/seccomp/libseccomp-golang" + ) + +-func TestSeccompDenyGetcwdWithErrno(t *testing.T) { ++func TestSeccompDenySyslogWithErrno(t *testing.T) { + if testing.Short() { + return + } +@@ -25,7 +25,7 @@ func TestSeccompDenyGetcwdWithErrno(t *testing.T) { + DefaultAction: configs.Allow, + Syscalls: []*configs.Syscall{ + { +- Name: "getcwd", ++ Name: "syslog", + Action: configs.Errno, + ErrnoRet: &errnoRet, + }, +@@ -39,7 +39,7 @@ func TestSeccompDenyGetcwdWithErrno(t *testing.T) { + buffers := newStdBuffers() + pwd := &libcontainer.Process{ + Cwd: "/", +- Args: []string{"pwd"}, ++ Args: []string{"dmesg"}, + Env: standardEnvironment, + Stdin: buffers.Stdin, + Stdout: buffers.Stdout, +@@ -65,17 +65,17 @@ func TestSeccompDenyGetcwdWithErrno(t *testing.T) { + } + + if exitCode == 0 { +- t.Fatalf("Getcwd should fail with negative exit code, instead got %d!", exitCode) ++ t.Fatalf("dmesg should fail with negative exit code, instead got %d!", exitCode) + } + +- expected := "pwd: getcwd: No such process" ++ expected := "dmesg: klogctl: No such process" + actual := strings.Trim(buffers.Stderr.String(), "\n") + if actual != expected { + t.Fatalf("Expected output %s but got %s\n", expected, actual) + } + } + +-func TestSeccompDenyGetcwd(t *testing.T) { ++func TestSeccompDenySyslog(t *testing.T) { + if testing.Short() { + return + } +@@ -85,7 +85,7 @@ func TestSeccompDenyGetcwd(t *testing.T) { + DefaultAction: configs.Allow, + Syscalls: []*configs.Syscall{ + { +- Name: "getcwd", ++ Name: "syslog", + Action: configs.Errno, + }, + }, +@@ -98,7 +98,7 @@ func TestSeccompDenyGetcwd(t *testing.T) { + buffers := newStdBuffers() + pwd := &libcontainer.Process{ + Cwd: "/", +- Args: []string{"pwd"}, ++ Args: []string{"dmesg"}, + Env: standardEnvironment, + Stdin: buffers.Stdin, + Stdout: buffers.Stdout, +@@ -124,10 +124,10 @@ func TestSeccompDenyGetcwd(t *testing.T) { + } + + if exitCode == 0 { +- t.Fatalf("Getcwd should fail with negative exit code, instead got %d!", exitCode) ++ t.Fatalf("dmesg should fail with negative exit code, instead got %d!", exitCode) + } + +- expected := "pwd: getcwd: Operation not permitted" ++ expected := "dmesg: klogctl: Operation not permitted" + actual := strings.Trim(buffers.Stderr.String(), "\n") + if actual != expected { + t.Fatalf("Expected output %s but got %s\n", expected, actual) +-- +2.43.0 + +From b2b5754eb34174e032f1048beb1b27db83e77c5a Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Fri, 5 Jan 2024 01:42:32 +1100 +Subject: [runc v1.1.z PATCH 3/6] setns init: do explicit lookup of execve + argument early + +(This is a partial backport of a minor change included in commit +dac41717465462b21fab5b5942fe4cb3f47d7e53.) + +This mirrors the logic in standard_init_linux.go, and also ensures that +we do not call exec.LookPath in the final execve step. + +While this is okay for regular binaries, it seems exec.LookPath calls +os.Getenv which tries to emit a log entry to the test harness when +running in "go test" mode. In a future patch (in order to fix +CVE-2024-21626), we will close all of the file descriptors immediately +before execve, which would mean the file descriptor for test harness +logging would be closed at execve time. So, moving exec.LookPath earlier +is necessary. + +Ref: dac417174654 ("runc-dmz: reduce memfd binary cloning cost with small C binary") +Signed-off-by: Aleksa Sarai +--- + libcontainer/setns_init_linux.go | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go +index 09ab552b3d12..e891773ec578 100644 +--- a/libcontainer/setns_init_linux.go ++++ b/libcontainer/setns_init_linux.go +@@ -4,6 +4,7 @@ import ( + "errors" + "fmt" + "os" ++ "os/exec" + "strconv" + + "github.com/opencontainers/selinux/go-selinux" +@@ -82,6 +83,21 @@ func (l *linuxSetnsInit) Init() error { + if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil { + return err + } ++ ++ // Check for the arg before waiting to make sure it exists and it is ++ // returned as a create time error. ++ name, err := exec.LookPath(l.config.Args[0]) ++ if err != nil { ++ return err ++ } ++ // exec.LookPath in Go < 1.20 might return no error for an executable ++ // residing on a file system mounted with noexec flag, so perform this ++ // extra check now while we can still return a proper error. ++ // TODO: remove this once go < 1.20 is not supported. ++ if err := eaccess(name); err != nil { ++ return &os.PathError{Op: "eaccess", Path: name, Err: err} ++ } ++ + // Set seccomp as close to execve as possible, so as few syscalls take + // place afterward (reducing the amount of syscalls that users need to + // enable in their seccomp profiles). +@@ -101,5 +117,5 @@ func (l *linuxSetnsInit) Init() error { + return &os.PathError{Op: "close log pipe", Path: "fd " + strconv.Itoa(l.logFd), Err: err} + } + +- return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ()) ++ return system.Exec(name, l.config.Args[0:], os.Environ()) + } +-- +2.43.0 + diff --git a/SPECS/moby-runc/moby-runc.spec b/SPECS/moby-runc/moby-runc.spec index 5a2df82425a..3722e943803 100644 --- a/SPECS/moby-runc/moby-runc.spec +++ b/SPECS/moby-runc/moby-runc.spec @@ -5,7 +5,7 @@ Summary: CLI tool for spawning and running containers per OCI spec. Name: moby-%{upstream_name} # update "commit_hash" above when upgrading version Version: 1.1.9 -Release: 3%{?dist} +Release: 4%{?dist} License: ASL 2.0 URL: https://github.com/opencontainers/runc Group: Virtualization/Libraries @@ -13,6 +13,7 @@ Vendor: Microsoft Corporation Distribution: Mariner Source0: https://github.com/opencontainers/runc/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Patch0: CVE-2024-21626.patch BuildRequires: git BuildRequires: golang => 1.16 @@ -35,7 +36,7 @@ Obsoletes: runc-io runC is a CLI tool for spawning and running containers according to the OCI specification. Containers are started as a child process of runC and can be embedded into various other systems without having to run a daemon. %prep -%setup -q -n %{upstream_name}-%{version} +%autosetup -n %{upstream_name}-%{version} -p1 %build export CGO_ENABLED=1 @@ -57,6 +58,10 @@ make install-man DESTDIR="%{buildroot}" PREFIX="%{_prefix}" %{_mandir}/* %changelog +* Tue Jan 23 2024 Muhammad Falak - 1.1.9-4 +- Address CVE-2024-21626 +- Switch to autosetup + * Mon Oct 16 2023 CBL-Mariner Servicing Account - 1.1.9-3 - Bump release to rebuild with go 1.20.9 diff --git a/SPECS/mysql/mysql.spec b/SPECS/mysql/mysql.spec index 5ce85b4714d..dd8fb6b4ce9 100644 --- a/SPECS/mysql/mysql.spec +++ b/SPECS/mysql/mysql.spec @@ -1,7 +1,7 @@ Summary: MySQL. Name: mysql Version: 8.0.35 -Release: 2%{?dist} +Release: 4%{?dist} License: GPLv2 with exceptions AND LGPLv2 AND BSD Vendor: Microsoft Corporation Distribution: Mariner @@ -15,6 +15,8 @@ BuildRequires: libtirpc-devel BuildRequires: openssl-devel BuildRequires: rpcsvc-proto-devel BuildRequires: zlib-devel +Requires(postun): shadow-utils +Requires(pre): shadow-utils %description MySQL is a free, widely used SQL engine. It can be used as a fast database as well as a rock-solid DBMS using a modular engine architecture. @@ -51,6 +53,18 @@ make DESTDIR=%{buildroot} install %check make test +%pre +getent group mysql >/dev/null || groupadd -r mysql +getent passwd mysql >/dev/null || useradd -c "mysql" -s /bin/false -g mysql -M -r mysql + +%postun +if getent passwd mysql >/dev/null; then + userdel mysql +fi +if getent group mysql >/dev/null; then + groupdel mysql +fi + %files %defattr(-,root,root) %license LICENSE router/LICENSE.router @@ -84,6 +98,12 @@ make test %{_libdir}/pkgconfig/mysqlclient.pc %changelog +* Fri Jan 26 2024 Andy Zaugg - 8.0.35-4 +- Add shadow-utils dependency for rpm post and uninstall scripts + +* Wed Jan 10 2024 Andy Zaugg - 8.0.35-3 +- Add mysql user as part of post scripts + * Wed Dec 20 2023 Suresh Thelkar - 8.0.35-2 - Patch CVE-2023-46218 diff --git a/SPECS/nmap/nmap.spec b/SPECS/nmap/nmap.spec index 869c15ad712..aae2c577b18 100644 --- a/SPECS/nmap/nmap.spec +++ b/SPECS/nmap/nmap.spec @@ -1,7 +1,7 @@ Summary: Nmap Network Mapper Name: nmap Version: 7.93 -Release: 1%{?dist} +Release: 2%{?dist} License: Nmap Vendor: Microsoft Corporation Distribution: Mariner @@ -59,6 +59,9 @@ ln -s ncat %{buildroot}%{_bindir}/nc %{_bindir}/nc %changelog +* Wed Jan 17 2024 Harshit Gupta - 7.93-2 +- Release bump with no changes to force a rebuild and consume new libssh2 build + * Mon Apr 17 2023 Saul Paredes - 7.93-1 - Upgrading to latest version to fix CVE-2018-25032 diff --git a/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec b/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec index f4a2141ae7f..dd930d87f2f 100644 --- a/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec +++ b/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec @@ -3,7 +3,7 @@ Name: prebuilt-ca-certificates-base # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "ca-certificates" package as well. Epoch: 1 Version: 2.0.0 -Release: 14%{?dist} +Release: 15%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -46,6 +46,9 @@ find %{buildroot} -name README -delete %{_sysconfdir}/pki/java/cacerts %changelog +* Fri Jan 26 2024 CBL-Mariner Servicing Account - 2.0.0-15 +- Making 'Release' match with 'ca-certificates' + * Tue Dec 05 2023 CBL-Mariner Servicing Account - 1:2.0.0-14 - Making 'Release' match with 'ca-certificates'. diff --git a/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec b/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec index 02d28e67127..4781064f949 100644 --- a/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec +++ b/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec @@ -3,7 +3,7 @@ Name: prebuilt-ca-certificates # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "ca-certificates" package as well. Epoch: 1 Version: 2.0.0 -Release: 14%{?dist} +Release: 15%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -49,6 +49,9 @@ find %{buildroot} -name README -delete %{_sysconfdir}/pki/java/cacerts %changelog +* Fri Jan 26 2024 CBL-Mariner Servicing Account - 2.0.0-15 +- Making 'Release' match with 'ca-certificates' + * Tue Dec 05 2023 CBL-Mariner Servicing Account - 1:2.0.0-14 - Making 'Release' match with 'ca-certificates'. diff --git a/SPECS/python-jinja2/CVE-2024-22195.patch b/SPECS/python-jinja2/CVE-2024-22195.patch new file mode 100644 index 00000000000..e634d8bb4ac --- /dev/null +++ b/SPECS/python-jinja2/CVE-2024-22195.patch @@ -0,0 +1,92 @@ +From 58cbcf78ba645b9f0ac33257a526a5b874bfd7c1 Mon Sep 17 00:00:00 2001 +From: Tobias Brick +Date: Tue, 23 Jan 2024 22:29:04 +0000 +Subject: [PATCH] Backport upstream change + https://github.com/pallets/jinja/commit/716795349a41d4983a9a4771f7d883c96ea17be7 + into 3.0.3. + +Backport was very straightforward -- basically line numbers and a small amount of context. + +Based on: + +From 7dd3680e6eea0d77fde024763657aa4d884ddb23 Mon Sep 17 00:00:00 2001 +From: Calum Hutton +Date: Thu, 26 Oct 2023 12:08:53 +0100 +Subject: [PATCH] xmlattr filter disallows keys with spaces +--- + src/jinja2/filters.py | 26 +++++++++++++++++++++----- + tests/test_filters.py | 6 ++++++ + 2 files changed, 27 insertions(+), 5 deletions(-) + +diff --git a/src/jinja2/filters.py b/src/jinja2/filters.py +index ffb98bf..4f90bfe 100644 +--- a/src/jinja2/filters.py ++++ b/src/jinja2/filters.py +@@ -271,6 +271,9 @@ def do_lower(s: str) -> str: + return soft_str(s).lower() + + ++_space_re = re.compile(r"\s", flags=re.ASCII) ++ ++ + @pass_eval_context + def do_xmlattr( + eval_ctx: "EvalContext", d: t.Mapping[str, t.Any], autospace: bool = True +@@ -279,6 +282,9 @@ def do_xmlattr( + All values that are neither `none` nor `undefined` are automatically + escaped: + ++ If any key contains a space, this fails with a ``ValueError``. Values that ++ are neither ``none`` nor ``undefined`` are automatically escaped. ++ + .. sourcecode:: html+jinja + + = 2.0 BuildRequires: python3-setuptools BuildRequires: python3-xml -%if %{with_check} +%if 0%{?with_check} BuildRequires: python3-pip %endif Requires: python3 @@ -33,7 +34,7 @@ inspired non-XML syntax but supports inline expressions and an optional sandboxed environment. %prep -%autosetup -n Jinja2-%{version} +%autosetup -p1 -n Jinja2-%{version} sed -i 's/\r$//' LICENSE.rst # Fix wrong EOL encoding %build @@ -53,6 +54,9 @@ tox -e py%{python3_version_nodots} %{python3_sitelib}/Jinja2-%{version}-py%{python3_version}.egg-info %changelog +* Wed Jan 24 2024 Tobias Brick - 3.0.3-3 +- Backport CVE-2024-22195 from upstream + * Tue Mar 15 2022 Muhammad Falak - 3.0.3-2 - Use `py%{python3_version_nodots}` instead of harcoding `py39` diff --git a/SPECS/python-urllib3/CVE-2023-43804.patch b/SPECS/python-urllib3/CVE-2023-43804.patch deleted file mode 100644 index 1050994c089..00000000000 --- a/SPECS/python-urllib3/CVE-2023-43804.patch +++ /dev/null @@ -1,158 +0,0 @@ -From 6f4e0d9d44ac3b5a445ce384e52a20fcd7f5e733 Mon Sep 17 00:00:00 2001 -From: Seth Michael Larson -Date: Mon, 2 Oct 2023 11:43:46 -0500 -Subject: [PATCH] Backport GHSA-v845-jxx5-vc9f (#3139) Modified to patch - CVE-2023-43804 in CBL-Mariner. Co-authored-by: Quentin Pradet - Co-authored-by: Illia Volochii - Modified by: Amrita Kohli - - ---- - src/urllib3/util/retry.py | 2 +- - test/test_retry.py | 4 ++-- - test/test_retry_deprecated.py | 2 +- - test/with_dummyserver/test_poolmanager.py | 24 ++++++++++++++++++----- - 4 files changed, 23 insertions(+), 9 deletions(-) - -diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py -index 3398323..f727602 100644 ---- a/src/urllib3/util/retry.py -+++ b/src/urllib3/util/retry.py -@@ -235,7 +235,7 @@ class Retry(object): - RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) - - #: Default headers to be used for ``remove_headers_on_redirect`` -- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) -+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) - - #: Maximum backoff time. - DEFAULT_BACKOFF_MAX = 120 -diff --git a/test/test_retry.py b/test/test_retry.py -index 21ba1e9..95a33e7 100644 ---- a/test/test_retry.py -+++ b/test/test_retry.py -@@ -293,12 +293,12 @@ class TestRetry(object): - def test_retry_default_remove_headers_on_redirect(self): - retry = Retry() - -- assert list(retry.remove_headers_on_redirect) == ["authorization"] -+ assert retry.remove_headers_on_redirect == {"authorization", "cookie"} - - def test_retry_set_remove_headers_on_redirect(self): - retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) - -- assert list(retry.remove_headers_on_redirect) == ["x-api-secret"] -+ assert retry.remove_headers_on_redirect == {"x-api-secret"} - - @pytest.mark.parametrize("value", ["-1", "+1", "1.0", six.u("\xb2")]) # \xb2 = ^2 - def test_parse_retry_after_invalid(self, value): -diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py -index f55c5d8..5133a51 100644 ---- a/test/test_retry_deprecated.py -+++ b/test/test_retry_deprecated.py -@@ -295,7 +295,7 @@ class TestRetry(object): - def test_retry_default_remove_headers_on_redirect(self): - retry = Retry() - -- assert list(retry.remove_headers_on_redirect) == ["authorization"] -+ assert retry.remove_headers_on_redirect == {"authorization", "cookie"} - - def test_retry_set_remove_headers_on_redirect(self): - retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) -diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py -index fa07a37..02a3811 100644 ---- a/test/with_dummyserver/test_poolmanager.py -+++ b/test/with_dummyserver/test_poolmanager.py -@@ -141,7 +141,7 @@ class TestPoolManager(HTTPDummyServerTestCase): - "GET", - "%s/redirect" % self.base_url, - fields={"target": "%s/headers" % self.base_url_alt}, -- headers={"Authorization": "foo"}, -+ headers={"Authorization": "foo", "Cookie": "foo=bar"}, - ) - - assert r.status == 200 -@@ -149,12 +149,13 @@ class TestPoolManager(HTTPDummyServerTestCase): - data = json.loads(r.data.decode("utf-8")) - - assert "Authorization" not in data -+ assert "Cookie" not in data - - r = http.request( - "GET", - "%s/redirect" % self.base_url, - fields={"target": "%s/headers" % self.base_url_alt}, -- headers={"authorization": "foo"}, -+ headers={"authorization": "foo", "cookie": "foo=bar"}, - ) - - assert r.status == 200 -@@ -163,6 +164,8 @@ class TestPoolManager(HTTPDummyServerTestCase): - - assert "authorization" not in data - assert "Authorization" not in data -+ assert "cookie" not in data -+ assert "Cookie" not in data - - def test_redirect_cross_host_no_remove_headers(self): - with PoolManager() as http: -@@ -170,7 +173,7 @@ class TestPoolManager(HTTPDummyServerTestCase): - "GET", - "%s/redirect" % self.base_url, - fields={"target": "%s/headers" % self.base_url_alt}, -- headers={"Authorization": "foo"}, -+ headers={"Authorization": "foo", "Cookie": "foo=bar"}, - retries=Retry(remove_headers_on_redirect=[]), - ) - -@@ -179,6 +182,7 @@ class TestPoolManager(HTTPDummyServerTestCase): - data = json.loads(r.data.decode("utf-8")) - - assert data["Authorization"] == "foo" -+ assert data["Cookie"] == "foo=bar" - - def test_redirect_cross_host_set_removed_headers(self): - with PoolManager() as http: -@@ -186,7 +190,11 @@ class TestPoolManager(HTTPDummyServerTestCase): - "GET", - "%s/redirect" % self.base_url, - fields={"target": "%s/headers" % self.base_url_alt}, -- headers={"X-API-Secret": "foo", "Authorization": "bar"}, -+ headers={ -+ "X-API-Secret": "foo", -+ "Authorization": "bar", -+ "Cookie": "foo=bar", -+ }, - retries=Retry(remove_headers_on_redirect=["X-API-Secret"]), - ) - -@@ -196,12 +204,17 @@ class TestPoolManager(HTTPDummyServerTestCase): - - assert "X-API-Secret" not in data - assert data["Authorization"] == "bar" -+ assert data["Cookie"] == "foo=bar" - - r = http.request( - "GET", - "%s/redirect" % self.base_url, - fields={"target": "%s/headers" % self.base_url_alt}, -- headers={"x-api-secret": "foo", "authorization": "bar"}, -+ headers={ -+ "x-api-secret": "foo", -+ "authorization": "bar", -+ "cookie": "foo=bar", -+ }, - retries=Retry(remove_headers_on_redirect=["X-API-Secret"]), - ) - -@@ -212,6 +225,7 @@ class TestPoolManager(HTTPDummyServerTestCase): - assert "x-api-secret" not in data - assert "X-API-Secret" not in data - assert data["Authorization"] == "bar" -+ assert data["Cookie"] == "foo=bar" - - def test_redirect_without_preload_releases_connection(self): - with PoolManager(block=True, maxsize=2) as http: --- -2.34.1 - diff --git a/SPECS/python-urllib3/python-urllib3.spec b/SPECS/python-urllib3/python-urllib3.spec index 875c68046dd..456eed71afe 100644 --- a/SPECS/python-urllib3/python-urllib3.spec +++ b/SPECS/python-urllib3/python-urllib3.spec @@ -1,7 +1,7 @@ Summary: A powerful, sanity-friendly HTTP client for Python. Name: python-urllib3 Version: 1.26.18 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -9,6 +9,7 @@ Group: Development/Languages/Python URL: https://pypi.python.org/pypi/urllib3 Source0: https://github.com/urllib3/urllib3/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz BuildArch: noarch +Patch0: urllib3_test_recent_date.patch %description A powerful, sanity-friendly HTTP client for Python. @@ -51,6 +52,9 @@ nox --reuse-existing-virtualenvs --sessions test-%{python3_version} %{python3_sitelib}/* %changelog +* Wed Jan 17 2024 Mandeep Plaha - 1.26.18-2 +- Fix test_recent_date test by updating the hard-coded date used for test + * Fri Oct 27 2023 CBL-Mariner Servicing Account - 1.26.18-1 - Auto-upgrade to 1.26.18 - fix CVE-2023-45803 diff --git a/SPECS/python-urllib3/urllib3_test_recent_date.patch b/SPECS/python-urllib3/urllib3_test_recent_date.patch new file mode 100644 index 00000000000..8eaa548192b --- /dev/null +++ b/SPECS/python-urllib3/urllib3_test_recent_date.patch @@ -0,0 +1,12 @@ +diff -ur a/src/urllib3/connection.py b/src/urllib3/connection.py +--- a/src/urllib3/connection.py 2023-10-17 10:26:30 ++++ b/src/urllib3/connection.py 2024-01-17 08:03:33 +@@ -68,7 +68,7 @@ + + # When it comes time to update this value as a part of regular maintenance + # (ie test_recent_date is failing) update it to ~6 months before the current date. +-RECENT_DATE = datetime.date(2022, 1, 1) ++RECENT_DATE = datetime.date(2023, 8, 1) + + _CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]") + diff --git a/SPECS/python-virtualenv/python-virtualenv.spec b/SPECS/python-virtualenv/python-virtualenv.spec index 0283239abe2..663e68567cb 100644 --- a/SPECS/python-virtualenv/python-virtualenv.spec +++ b/SPECS/python-virtualenv/python-virtualenv.spec @@ -1,7 +1,7 @@ Summary: Virtual Python Environment builder Name: python-virtualenv Version: 20.14.0 -Release: 4%{?dist} +Release: 5%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -30,6 +30,7 @@ Requires: python3 Requires: python3-filelock Requires: python3-platformdirs = 2.0.0 Requires: python3-distlib < 1 +Requires: python3-six Provides: %{name}-doc = %{version}-%{release} %description -n python3-virtualenv @@ -55,6 +56,9 @@ tox -e py %{_bindir}/virtualenv %changelog +* Thu Jan 25 2024 corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> - 20.14.0-5 +- Add missing runtime dependency on python-six + * Mon Dec 04 2023 Olivia Crain - 20.14.0-4 - Add upstream patch to fix package tests with newer versions of pluggy diff --git a/SPECS/rabbitmq-server/rabbitmq-server.spec b/SPECS/rabbitmq-server/rabbitmq-server.spec index 5f6a5026c9b..477119e7f9a 100644 --- a/SPECS/rabbitmq-server/rabbitmq-server.spec +++ b/SPECS/rabbitmq-server/rabbitmq-server.spec @@ -2,7 +2,7 @@ Summary: rabbitmq-server Name: rabbitmq-server Version: 3.11.11 -Release: 1%{?dist} +Release: 2%{?dist} License: Apache-2.0 and MPL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -115,6 +115,9 @@ done %{_libdir}/rabbitmq/lib/rabbitmq_server-%{version}/* %changelog +* Wed Jan 17 2024 Harshit Gupta - 3.11.11-2 +- Release bump with no changes to force a rebuild and consume new erlang build + * Tue Mar 14 2023 Sam Meluch - 3.11.11-1 - Original version for CBL-Mariner - License Verified diff --git a/SPECS/skopeo/skopeo.signatures.json b/SPECS/skopeo/skopeo.signatures.json index 79b9f73bd47..f7c388d1baf 100644 --- a/SPECS/skopeo/skopeo.signatures.json +++ b/SPECS/skopeo/skopeo.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "skopeo-1.13.3.tar.gz": "0b788fc5725ac79327f7c29797821a2bafc1c3c87bbfcb2998c2a1be949e314d" + "skopeo-1.14.1.tar.gz": "b174ada87751ecd7f8e0e292d163c9b0c4a2172a6ba32e1725ae272c24f7f841" } } \ No newline at end of file diff --git a/SPECS/skopeo/skopeo.spec b/SPECS/skopeo/skopeo.spec index b6e616c7e18..9085d8f1a2d 100644 --- a/SPECS/skopeo/skopeo.spec +++ b/SPECS/skopeo/skopeo.spec @@ -1,6 +1,6 @@ Summary: Inspect container images and repositories on registries Name: skopeo -Version: 1.13.3 +Version: 1.14.1 Release: 1%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation @@ -46,6 +46,9 @@ make test-unit-local %{_mandir}/man1/%%{name}* %changelog +* Fri Jan 19 2024 Muhammad Falak - 1.14.1-1 +- Bump version to 1.14.1 to address https://github.com/advisories/GHSA-jq35-85cj-fj4p + * Tue Oct 17 2023 Neha Agarwal - 1.13.3-1 - Update to v1.13.3 to fix CVE-2023-33199 in rekor. diff --git a/SPECS/virtiofsd/config.toml b/SPECS/virtiofsd/config.toml new file mode 100644 index 00000000000..02369289646 --- /dev/null +++ b/SPECS/virtiofsd/config.toml @@ -0,0 +1,5 @@ +[source.crates-io] +replace-with = "vendored-sources" + +[source.vendored-sources] +directory = "vendor" diff --git a/SPECS/virtiofsd/virtiofsd.signatures.json b/SPECS/virtiofsd/virtiofsd.signatures.json new file mode 100644 index 00000000000..ce235998df9 --- /dev/null +++ b/SPECS/virtiofsd/virtiofsd.signatures.json @@ -0,0 +1,7 @@ +{ + "Signatures": { + "virtiofsd-v1.8.0.tar.gz": "35a59628c44da64d72b25cbdea54fe2fa68ecd42482f34c4755f4020e6dc280b", + "virtiofsd-v1.8.0-cargo.tar.gz": "47a1595ccee910ddb2f786469ac2601b5e5e114a42796072aa03bfe9f3706fd7", + "config.toml": "77e9219c27274120197571fd165cbe4121963b5ad3bc0b20b383c86ef0ce6c2b" + } +} diff --git a/SPECS/virtiofsd/virtiofsd.spec b/SPECS/virtiofsd/virtiofsd.spec new file mode 100644 index 00000000000..aafd160e845 --- /dev/null +++ b/SPECS/virtiofsd/virtiofsd.spec @@ -0,0 +1,55 @@ +Name: virtiofsd +Version: 1.8.0 +Release: 1%{?dist} +Summary: Virtio-fs vhost-user device daemon (Rust version) +License: Apache-2.0 AND BSD-3-Clause +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://gitlab.com/virtio-fs/virtiofsd +Source0: https://gitlab.com/virtio-fs/virtiofsd/-/archive/v%{version}/%{name}-v%{version}.tar.gz + +# To update the vendor tarball and config.toml: +# wget %{SOURCE0} +# tar -xf %{name}-v%{version}.tar.gz +# cd %{name}-v%{version} +# cargo vendor > ../config.toml +# tar -czf ../%{name}-v%{version}-cargo.tar.gz vendor/ +Source1: %{name}-v%{version}-cargo.tar.gz +Source2: config.toml + +ExclusiveArch: x86_64 + +BuildRequires: cargo +BuildRequires: libcap-ng-devel +BuildRequires: libseccomp-devel + +%description +Virtio-fs vhost-user device daemon (Rust version) + +%prep +%autosetup -p1 -n %{name}-v%{version} + +pushd %{_builddir}/%{name}-v%{version} +tar -xf %{SOURCE1} +mkdir -p .cargo +cp %{SOURCE2} .cargo/ +popd + +%build +pushd %{_builddir}/%{name}-v%{version} +cargo build --release --offline +popd + +%install +mkdir -p %{buildroot}%{_libexecdir} +install -D -p -m 0755 target/release/virtiofsd %{buildroot}%{_libexecdir}/virtiofsd-rs + +%files +%license LICENSE-APACHE LICENSE-BSD-3-Clause +%doc README.md +%{_libexecdir}/virtiofsd-rs + +%changelog +* Tue Jan 9 2024 Aurélien Bombo - 1.8.0-1 +- Initial CBL-Mariner import from Fedora 39 (license: MIT). +- License verified. diff --git a/cgmanifest.json b/cgmanifest.json index 42e051fc192..d151f5dc8a0 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -1807,8 +1807,8 @@ "type": "other", "other": { "name": "cloud-init", - "version": "23.3", - "downloadUrl": "https://launchpad.net/cloud-init/trunk/23.3/+download/cloud-init-23.3.tar.gz" + "version": "23.4.1", + "downloadUrl": "https://launchpad.net/cloud-init/trunk/23.4.1/+download/cloud-init-23.4.1.tar.gz" } } }, @@ -5240,8 +5240,8 @@ "type": "other", "other": { "name": "helm", - "version": "3.13.2", - "downloadUrl": "https://github.com/helm/helm/archive/v3.13.2.tar.gz" + "version": "3.14.0", + "downloadUrl": "https://github.com/helm/helm/archive/v3.14.0.tar.gz" } } }, @@ -6540,8 +6540,8 @@ "type": "other", "other": { "name": "hyperv-daemons", - "version": "5.15.145.2", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.145.2.tar.gz" + "version": "5.15.148.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.148.1.tar.gz" } } }, @@ -8051,8 +8051,8 @@ "type": "other", "other": { "name": "kata-containers-cc", - "version": "0.6.2", - "downloadUrl": "https://github.com/microsoft/kata-containers/archive/refs/tags/cc-0.6.2.tar.gz" + "version": "0.6.3", + "downloadUrl": "https://github.com/microsoft/kata-containers/archive/refs/tags/cc-0.6.3.tar.gz" } } }, @@ -8121,8 +8121,8 @@ "type": "other", "other": { "name": "kernel", - "version": "5.15.145.2", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.145.2.tar.gz" + "version": "5.15.148.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.148.1.tar.gz" } } }, @@ -8131,8 +8131,8 @@ "type": "other", "other": { "name": "kernel-azure", - "version": "5.15.145.2", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.145.2.tar.gz" + "version": "5.15.148.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.148.1.tar.gz" } } }, @@ -8141,8 +8141,8 @@ "type": "other", "other": { "name": "kernel-hci", - "version": "5.15.145.2", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.145.2.tar.gz" + "version": "5.15.148.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.148.1.tar.gz" } } }, @@ -8151,8 +8151,8 @@ "type": "other", "other": { "name": "kernel-headers", - "version": "5.15.145.2", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.145.2.tar.gz" + "version": "5.15.148.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.148.1.tar.gz" } } }, @@ -8161,8 +8161,8 @@ "type": "other", "other": { "name": "kernel-mos", - "version": "5.15.145.2", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2-mos/5.15.145.2.tar.gz" + "version": "5.15.148.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2-mos/5.15.148.1.tar.gz" } } }, @@ -27827,8 +27827,8 @@ "type": "other", "other": { "name": "skopeo", - "version": "1.13.3", - "downloadUrl": "https://github.com/containers/skopeo/archive/refs/tags/v1.13.3.tar.gz" + "version": "1.14.1", + "downloadUrl": "https://github.com/containers/skopeo/archive/refs/tags/v1.14.1.tar.gz" } } }, @@ -29512,6 +29512,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "virtiofsd", + "version": "1.8.0", + "downloadUrl": "https://gitlab.com/virtio-fs/virtiofsd/-/archive/v1.8.0/virtiofsd-v1.8.0.tar.gz" + } + } + }, { "component": { "type": "other", diff --git a/toolkit/README.md b/toolkit/README.md index 2580fda62ec..43f18a6f479 100644 --- a/toolkit/README.md +++ b/toolkit/README.md @@ -12,7 +12,7 @@ - Learn how to create an Unattended Installer. - Other Advanced Topics. -## [Build Users Guide](docs/building/building.md) +## [Build Users Guide](docs/building/building.md) - **Recommended if you are a developer and want to learn how to fully build CBL-Mariner.** - Build CBL-Mariner end-to-end. @@ -24,6 +24,10 @@ - Initial prep, local packages, package builds, image generation. +## [Understanding build logs](docs/how_it_works/6_logs.md) + +- Understanding common build logs with a focus on errors and warnings and how to interpret them. + ## [OS security](docs/security/intro.md) - Topics related to system security. diff --git a/toolkit/docs/how_it_works/0_intro.md b/toolkit/docs/how_it_works/0_intro.md index 0f02620bd9b..5aee1f8d8e9 100644 --- a/toolkit/docs/how_it_works/0_intro.md +++ b/toolkit/docs/how_it_works/0_intro.md @@ -59,7 +59,7 @@ flowchart LR remoteSourceTar --> pack patches --> pack sigFile --> pack - pack --> srpm + pack --> srpm srpm --> buildRPM buildRPM --> rpm ``` @@ -145,7 +145,7 @@ flowchart TD tcManifests --> buildTC tcRebuild -->|no| toolchainChoice toolchainChoice -->|no| pullRemote - toolchainChoice -->|yes| pullTC + toolchainChoice -->|yes| pullTC pullRemote --> tcRPMs pullTC --> hydrateTC tcArchiveOld --> pullTC @@ -228,7 +228,7 @@ flowchart TD subgraph sched ["Scheduler tool (scheduler)"] currentGraph[/Current graph/]:::io trim[Remove unneeded branches from graph]:::process - doneBuild{{Done building all required nodes?}}:::decision + doneBuild{{Done building all required nodes?}}:::decision leafNodesAvail{{Leaf nodes available?}}:::decision worker[Schedule a chroot worker to build the SRPM]:::process builtRPMs[/Built RPMs/]:::io @@ -263,7 +263,7 @@ flowchart TD classDef goodState fill:#566E40,stroke:#333,stroke-width:2px,color:#fff; classDef badState fill:#BC4B51,stroke:#333,stroke-width:2px,color:#fff; classDef collection fill:#247BA0,stroke:#333,stroke-width:2px,color:#fff; - + %% state nodes start(["Start (make image / make ISO)"]):::goodState done([Done]):::goodState @@ -299,7 +299,7 @@ flowchart TD raw --> roast roast --> image image --> done - + ``` ## In Depth Explanations @@ -322,4 +322,8 @@ flowchart TD ### [5. Misc](5_misc.md) -- Chroots \ No newline at end of file +- Chroots + +### [6. Logs](6_logs.md) + +- Understanding common build logs errors diff --git a/toolkit/docs/how_it_works/5_misc.md b/toolkit/docs/how_it_works/5_misc.md index 5e26637d8cc..cdee9b7919a 100644 --- a/toolkit/docs/how_it_works/5_misc.md +++ b/toolkit/docs/how_it_works/5_misc.md @@ -1,6 +1,6 @@ Miscellaneous Topics === -## Prev: [Image Generation](4_image_generation.md) +## Prev: [Image Generation](4_image_generation.md), Next: [Common Error Logs](6_logs.md) - [Chroot](#chroot) - [Makefile Advanced Components](#makefile-advanced-components) - [Config Tracking](#Config-Tracking) @@ -130,7 +130,7 @@ For each entry in `$(go_tool_list)` the define `go_util_rule` is parsed and exec > ``` ##### `$(TOOL_BINS_DIR)/%` -Assuming local tool rebuilding is enabled with `REBUILD_TOOLS=y` (by default the go executables are pre-built as part of the toolkit) this target will match any go executable of the form `./out/tools/tool1, ./out/tools/tool2, ...`. +Assuming local tool rebuilding is enabled with `REBUILD_TOOLS=y` (by default the go executables are pre-built as part of the toolkit) this target will match any go executable of the form `./out/tools/tool1, ./out/tools/tool2, ...`. ```makefile $(TOOL_BINS_DIR)/%: $(go_common_files) cd $(TOOLS_DIR)/$* && \ @@ -158,9 +158,9 @@ Mariner distroless container images do not contain an RPM database. In order for rpm --query --all --query-format "%{NAME}\t%{VERSION}-%{RELEASE}\t%{INSTALLTIME}\t%{BUILDTIME}\t%{VENDOR}\t%{EPOCH}\t%{SIZE}\t%{ARCH}\t%{EPOCHNUM}\t%{SOURCERPM}\n" ``` -Note: The output of the above command also includes the `gpg-pubkey` which is not an RPM package. In order to filter it out, the output of the above command can be piped (i.e., `|`) to the following command: +Note: The output of the above command also includes the `gpg-pubkey` which is not an RPM package. In order to filter it out, the output of the above command can be piped (i.e., `|`) to the following command: ```bash grep -v gpg-pubkey ``` -## Prev: [Image Generation](4_image_generation.md) \ No newline at end of file +## Prev: [Image Generation](4_image_generation.md), Next: [Common Error Logs](6_logs.md) diff --git a/toolkit/docs/how_it_works/6_logs.md b/toolkit/docs/how_it_works/6_logs.md new file mode 100644 index 00000000000..4cd4f02cbbb --- /dev/null +++ b/toolkit/docs/how_it_works/6_logs.md @@ -0,0 +1,60 @@ +Common error logs +=== +## Prev: [Misc](5_misc.md) +- [Unresolvable circular dependencies](#unresolvable-circular-dependencies) + - [Example](#example) + - [Explanation](#explanation) + - [How to fix](#how-to-fix) + - [More info about the `RUN` and `BUILD` nodes](#more-info-about-the-run-and-build-nodes) + +## Unresolvable circular dependencies +### Example + +``` +ERRO[0011][grapher] Unfixable circular dependency found: {bpftool-6.6.2.1-2.azl3-RUN} --> {systemd-devel-255-2.azl3-BUILD} --> {systemd-devel-255-2.azl3-RUN} --> {grub2-rpm-macros-2.06-13.azl3-BUILD} --> {grub2-rpm-macros-2.06-13.azl3-RUN} --> {bpftool-6.6.2.1-2.azl3-BUILD} --> {bpftool-6.6.2.1-2.azl3-RUN} error: cycle can't be resolved with prebuilt/PMC RPMs. Unresolvable +``` + +After extraction of the interesting part: + +``` +Unfixable circular dependency found: +{bpftool-6.6.2.1-2.-RUN} --> {systemd-devel-255-2.-BUILD} --> +{systemd-devel-255-2.-RUN} --> {grub2-rpm-macros-2.06-13.-BUILD} --> +{grub2-rpm-macros-2.06-13.-RUN} --> {bpftool-6.6.2.1-2.-BUILD} +``` + +### Explanation + +This is a build-time dependency cycle. The toolkit doesn't allow circular **build-time** dependencies (circular **run-time** dependencies are allowed). + +These errors may be better understood if read from the back: +- `{grub2-rpm-macros-2.06-13.-RUN} --> {bpftool-6.6.2.1-2.-BUILD}`: `bpftool` (1) depends on `grub2-rpm-macros` (2) to build +- `{systemd-devel-255-2.-RUN} --> {grub2-rpm-macros-2.06-13.-BUILD}`: `grub2-rpm-macros` (2) depends on `systemd-devel` (3) to build +- `{bpftool-6.6.2.1-2.-RUN} --> {systemd-devel-255-2.-BUILD}`: `systemd-devel` (3) depends on `bpftool` (1) to build and that closes the cycle. + +The logs print specific packages, not specs or SRPMs. + +### How to fix + +The fix is to remove the dependency of one of the packages on the other. Ideas: +- Double-check the declared build-time dependencies of the packages (`BuildRequires` in the spec files) are actually necessary to build the package. +- Split one of the packages into a bootstrap and regular version, where the bootstrap doesn't create circular dependencies. Then have the other packages from the cycle depend on the bootstrap version. + This happens in case of some compilers, which in newer version depend on themselves. Another example is our `systemd` package, which has its `systemd-bootstrap` counterpart. + +### More info about the `RUN` and `BUILD` nodes + +These are nodes of the dependency graph created during the build. The `RUN` nodes represent a runnable package, while the `BUILD` nodes represent a package that needs to be built. + +The dependencies are encoded by the edges: +- Run-time dependencies are the `-->` going from `RUN` nodes to other `RUN` nodes. +- Build-time dependencies are the `-->` going from `RUN` nodes to `BUILD` nodes. +- The `{XXX-BUILD} --> {XXX-RUN}` edges represent the fact that in order to use package `XXX` at run-time, it needs to be built first. + +Examples: +- `{XXX-RUN} --> {YYY-RUN}`: `XXX` is a run-time dependencies of package `YYY`. +- `{XXX-RUN} --> {YYY-BUILD}`: `XXX` is a build-time dependencies of package `YYY`. +- `{XXX-BUILD} --> {XXX-RUN}`: `XXX` needs to be built before it can be used at run-time. + +For more information about the build system, please check out [How the Build System Works](0_intro.md). + +## Prev: [Misc](5_misc.md) diff --git a/toolkit/imageconfigs/baremetal.json b/toolkit/imageconfigs/baremetal.json index 1ef399381a3..bd75941ae08 100644 --- a/toolkit/imageconfigs/baremetal.json +++ b/toolkit/imageconfigs/baremetal.json @@ -55,7 +55,7 @@ "SELinux": "enforcing" }, "KernelOptions": { - "default": "kernel-hci" + "default": "kernel" }, "Hostname": "azure-linux" } diff --git a/toolkit/imageconfigs/packagelists/core-packages-image.json b/toolkit/imageconfigs/packagelists/core-packages-image.json index f7c5a6ba11e..6b697d4248c 100644 --- a/toolkit/imageconfigs/packagelists/core-packages-image.json +++ b/toolkit/imageconfigs/packagelists/core-packages-image.json @@ -6,7 +6,8 @@ "cronie-anacron", "logrotate", "core-packages-base-image", - "initramfs" + "initramfs", + "shadow-utils" ], "_comment": "Install 'initramfs' last to avoid unnecessary regeneration when other packages, such as 'kernel', are installed." } diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 474983dd50d..3c2904ee86d 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-20.cm2.aarch64.rpm -kernel-headers-5.15.145.2-1.cm2.noarch.rpm +kernel-headers-5.15.148.1-1.cm2.noarch.rpm glibc-2.35-6.cm2.aarch64.rpm glibc-devel-2.35-6.cm2.aarch64.rpm glibc-i18n-2.35-6.cm2.aarch64.rpm @@ -12,23 +12,23 @@ zlib-devel-1.2.13-2.cm2.aarch64.rpm file-5.40-2.cm2.aarch64.rpm file-devel-5.40-2.cm2.aarch64.rpm file-libs-5.40-2.cm2.aarch64.rpm -binutils-2.37-7.cm2.aarch64.rpm -binutils-devel-2.37-7.cm2.aarch64.rpm +binutils-2.37-8.cm2.aarch64.rpm +binutils-devel-2.37-8.cm2.aarch64.rpm gmp-6.2.1-4.cm2.aarch64.rpm gmp-devel-6.2.1-4.cm2.aarch64.rpm mpfr-4.1.0-2.cm2.aarch64.rpm mpfr-devel-4.1.0-2.cm2.aarch64.rpm libmetalink-0.1.3-1.cm2.aarch64.rpm libmpc-1.2.1-1.cm2.aarch64.rpm -libgcc-11.2.0-7.cm2.aarch64.rpm -libgcc-atomic-11.2.0-7.cm2.aarch64.rpm -libgcc-devel-11.2.0-7.cm2.aarch64.rpm -libstdc++-11.2.0-7.cm2.aarch64.rpm -libstdc++-devel-11.2.0-7.cm2.aarch64.rpm -libgomp-11.2.0-7.cm2.aarch64.rpm -libgomp-devel-11.2.0-7.cm2.aarch64.rpm -gcc-11.2.0-7.cm2.aarch64.rpm -gcc-c++-11.2.0-7.cm2.aarch64.rpm +libgcc-11.2.0-8.cm2.aarch64.rpm +libgcc-atomic-11.2.0-8.cm2.aarch64.rpm +libgcc-devel-11.2.0-8.cm2.aarch64.rpm +libstdc++-11.2.0-8.cm2.aarch64.rpm +libstdc++-devel-11.2.0-8.cm2.aarch64.rpm +libgomp-11.2.0-8.cm2.aarch64.rpm +libgomp-devel-11.2.0-8.cm2.aarch64.rpm +gcc-11.2.0-8.cm2.aarch64.rpm +gcc-c++-11.2.0-8.cm2.aarch64.rpm libpkgconf-1.8.0-3.cm2.aarch64.rpm pkgconf-1.8.0-3.cm2.aarch64.rpm pkgconf-m4-1.8.0-3.cm2.noarch.rpm @@ -186,13 +186,13 @@ cpio-lang-2.13-5.cm2.aarch64.rpm e2fsprogs-libs-1.46.5-3.cm2.aarch64.rpm libsolv-0.7.24-1.cm2.aarch64.rpm libsolv-devel-0.7.24-1.cm2.aarch64.rpm -libssh2-1.9.0-3.cm2.aarch64.rpm -libssh2-devel-1.9.0-3.cm2.aarch64.rpm +libssh2-1.9.0-4.cm2.aarch64.rpm +libssh2-devel-1.9.0-4.cm2.aarch64.rpm krb5-1.19.4-2.cm2.aarch64.rpm nghttp2-1.57.0-1.cm2.aarch64.rpm -curl-8.5.0-1.cm2.aarch64.rpm -curl-devel-8.5.0-1.cm2.aarch64.rpm -curl-libs-8.5.0-1.cm2.aarch64.rpm +curl-8.5.0-2.cm2.aarch64.rpm +curl-devel-8.5.0-2.cm2.aarch64.rpm +curl-libs-8.5.0-2.cm2.aarch64.rpm createrepo_c-0.17.5-1.cm2.aarch64.rpm libxml2-2.10.4-2.cm2.aarch64.rpm libxml2-devel-2.10.4-2.cm2.aarch64.rpm @@ -231,10 +231,10 @@ libffi-devel-3.4.2-3.cm2.aarch64.rpm libtasn1-4.19.0-1.cm2.aarch64.rpm p11-kit-0.24.1-1.cm2.aarch64.rpm p11-kit-trust-0.24.1-1.cm2.aarch64.rpm -ca-certificates-shared-2.0.0-14.cm2.noarch.rpm -ca-certificates-tools-2.0.0-14.cm2.noarch.rpm -ca-certificates-base-2.0.0-14.cm2.noarch.rpm -ca-certificates-2.0.0-14.cm2.noarch.rpm +ca-certificates-shared-2.0.0-15.cm2.noarch.rpm +ca-certificates-tools-2.0.0-15.cm2.noarch.rpm +ca-certificates-base-2.0.0-15.cm2.noarch.rpm +ca-certificates-2.0.0-15.cm2.noarch.rpm dwz-0.14-2.cm2.aarch64.rpm unzip-6.0-20.cm2.aarch64.rpm python3-3.9.14-8.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 2327330c726..ca2b36b4feb 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-20.cm2.x86_64.rpm -kernel-headers-5.15.145.2-1.cm2.noarch.rpm +kernel-headers-5.15.148.1-1.cm2.noarch.rpm glibc-2.35-6.cm2.x86_64.rpm glibc-devel-2.35-6.cm2.x86_64.rpm glibc-i18n-2.35-6.cm2.x86_64.rpm @@ -12,23 +12,23 @@ zlib-devel-1.2.13-2.cm2.x86_64.rpm file-5.40-2.cm2.x86_64.rpm file-devel-5.40-2.cm2.x86_64.rpm file-libs-5.40-2.cm2.x86_64.rpm -binutils-2.37-7.cm2.x86_64.rpm -binutils-devel-2.37-7.cm2.x86_64.rpm +binutils-2.37-8.cm2.x86_64.rpm +binutils-devel-2.37-8.cm2.x86_64.rpm gmp-6.2.1-4.cm2.x86_64.rpm gmp-devel-6.2.1-4.cm2.x86_64.rpm mpfr-4.1.0-2.cm2.x86_64.rpm mpfr-devel-4.1.0-2.cm2.x86_64.rpm libmetalink-0.1.3-1.cm2.x86_64.rpm libmpc-1.2.1-1.cm2.x86_64.rpm -libgcc-11.2.0-7.cm2.x86_64.rpm -libgcc-atomic-11.2.0-7.cm2.x86_64.rpm -libgcc-devel-11.2.0-7.cm2.x86_64.rpm -libstdc++-11.2.0-7.cm2.x86_64.rpm -libstdc++-devel-11.2.0-7.cm2.x86_64.rpm -libgomp-11.2.0-7.cm2.x86_64.rpm -libgomp-devel-11.2.0-7.cm2.x86_64.rpm -gcc-11.2.0-7.cm2.x86_64.rpm -gcc-c++-11.2.0-7.cm2.x86_64.rpm +libgcc-11.2.0-8.cm2.x86_64.rpm +libgcc-atomic-11.2.0-8.cm2.x86_64.rpm +libgcc-devel-11.2.0-8.cm2.x86_64.rpm +libstdc++-11.2.0-8.cm2.x86_64.rpm +libstdc++-devel-11.2.0-8.cm2.x86_64.rpm +libgomp-11.2.0-8.cm2.x86_64.rpm +libgomp-devel-11.2.0-8.cm2.x86_64.rpm +gcc-11.2.0-8.cm2.x86_64.rpm +gcc-c++-11.2.0-8.cm2.x86_64.rpm libpkgconf-1.8.0-3.cm2.x86_64.rpm pkgconf-1.8.0-3.cm2.x86_64.rpm pkgconf-m4-1.8.0-3.cm2.noarch.rpm @@ -186,13 +186,13 @@ cpio-lang-2.13-5.cm2.x86_64.rpm e2fsprogs-libs-1.46.5-3.cm2.x86_64.rpm libsolv-0.7.24-1.cm2.x86_64.rpm libsolv-devel-0.7.24-1.cm2.x86_64.rpm -libssh2-1.9.0-3.cm2.x86_64.rpm -libssh2-devel-1.9.0-3.cm2.x86_64.rpm +libssh2-1.9.0-4.cm2.x86_64.rpm +libssh2-devel-1.9.0-4.cm2.x86_64.rpm krb5-1.19.4-2.cm2.x86_64.rpm nghttp2-1.57.0-1.cm2.x86_64.rpm -curl-8.5.0-1.cm2.x86_64.rpm -curl-devel-8.5.0-1.cm2.x86_64.rpm -curl-libs-8.5.0-1.cm2.x86_64.rpm +curl-8.5.0-2.cm2.x86_64.rpm +curl-devel-8.5.0-2.cm2.x86_64.rpm +curl-libs-8.5.0-2.cm2.x86_64.rpm createrepo_c-0.17.5-1.cm2.x86_64.rpm libxml2-2.10.4-2.cm2.x86_64.rpm libxml2-devel-2.10.4-2.cm2.x86_64.rpm @@ -231,10 +231,10 @@ libffi-devel-3.4.2-3.cm2.x86_64.rpm libtasn1-4.19.0-1.cm2.x86_64.rpm p11-kit-0.24.1-1.cm2.x86_64.rpm p11-kit-trust-0.24.1-1.cm2.x86_64.rpm -ca-certificates-shared-2.0.0-14.cm2.noarch.rpm -ca-certificates-tools-2.0.0-14.cm2.noarch.rpm -ca-certificates-base-2.0.0-14.cm2.noarch.rpm -ca-certificates-2.0.0-14.cm2.noarch.rpm +ca-certificates-shared-2.0.0-15.cm2.noarch.rpm +ca-certificates-tools-2.0.0-15.cm2.noarch.rpm +ca-certificates-base-2.0.0-15.cm2.noarch.rpm +ca-certificates-2.0.0-15.cm2.noarch.rpm dwz-0.14-2.cm2.x86_64.rpm unzip-6.0-20.cm2.x86_64.rpm python3-3.9.14-8.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 11167776a6f..c404d7b0d64 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -9,20 +9,20 @@ bash-5.1.8-4.cm2.aarch64.rpm bash-debuginfo-5.1.8-4.cm2.aarch64.rpm bash-devel-5.1.8-4.cm2.aarch64.rpm bash-lang-5.1.8-4.cm2.aarch64.rpm -binutils-2.37-7.cm2.aarch64.rpm -binutils-debuginfo-2.37-7.cm2.aarch64.rpm -binutils-devel-2.37-7.cm2.aarch64.rpm +binutils-2.37-8.cm2.aarch64.rpm +binutils-debuginfo-2.37-8.cm2.aarch64.rpm +binutils-devel-2.37-8.cm2.aarch64.rpm bison-3.7.6-2.cm2.aarch64.rpm bison-debuginfo-3.7.6-2.cm2.aarch64.rpm bzip2-1.0.8-1.cm2.aarch64.rpm bzip2-debuginfo-1.0.8-1.cm2.aarch64.rpm bzip2-devel-1.0.8-1.cm2.aarch64.rpm bzip2-libs-1.0.8-1.cm2.aarch64.rpm -ca-certificates-2.0.0-14.cm2.noarch.rpm -ca-certificates-base-2.0.0-14.cm2.noarch.rpm -ca-certificates-legacy-2.0.0-14.cm2.noarch.rpm -ca-certificates-shared-2.0.0-14.cm2.noarch.rpm -ca-certificates-tools-2.0.0-14.cm2.noarch.rpm +ca-certificates-2.0.0-15.cm2.noarch.rpm +ca-certificates-base-2.0.0-15.cm2.noarch.rpm +ca-certificates-legacy-2.0.0-15.cm2.noarch.rpm +ca-certificates-shared-2.0.0-15.cm2.noarch.rpm +ca-certificates-tools-2.0.0-15.cm2.noarch.rpm ccache-4.8-1.cm2.aarch64.rpm ccache-debuginfo-4.8-1.cm2.aarch64.rpm check-0.15.2-1.cm2.aarch64.rpm @@ -46,10 +46,10 @@ cracklib-lang-2.9.7-5.cm2.aarch64.rpm createrepo_c-0.17.5-1.cm2.aarch64.rpm createrepo_c-debuginfo-0.17.5-1.cm2.aarch64.rpm createrepo_c-devel-0.17.5-1.cm2.aarch64.rpm -curl-8.5.0-1.cm2.aarch64.rpm -curl-debuginfo-8.5.0-1.cm2.aarch64.rpm -curl-devel-8.5.0-1.cm2.aarch64.rpm -curl-libs-8.5.0-1.cm2.aarch64.rpm +curl-8.5.0-2.cm2.aarch64.rpm +curl-debuginfo-8.5.0-2.cm2.aarch64.rpm +curl-devel-8.5.0-2.cm2.aarch64.rpm +curl-libs-8.5.0-2.cm2.aarch64.rpm Cython-debuginfo-0.29.33-1.cm2.aarch64.rpm debugedit-5.0-2.cm2.aarch64.rpm debugedit-debuginfo-5.0-2.cm2.aarch64.rpm @@ -91,16 +91,16 @@ flex-debuginfo-2.6.4-7.cm2.aarch64.rpm flex-devel-2.6.4-7.cm2.aarch64.rpm gawk-5.1.1-1.cm2.aarch64.rpm gawk-debuginfo-5.1.1-1.cm2.aarch64.rpm -gcc-11.2.0-7.cm2.aarch64.rpm -gcc-c++-11.2.0-7.cm2.aarch64.rpm -gcc-debuginfo-11.2.0-7.cm2.aarch64.rpm +gcc-11.2.0-8.cm2.aarch64.rpm +gcc-c++-11.2.0-8.cm2.aarch64.rpm +gcc-debuginfo-11.2.0-8.cm2.aarch64.rpm gdbm-1.21-1.cm2.aarch64.rpm gdbm-debuginfo-1.21-1.cm2.aarch64.rpm gdbm-devel-1.21-1.cm2.aarch64.rpm gdbm-lang-1.21-1.cm2.aarch64.rpm gettext-0.21-3.cm2.aarch64.rpm gettext-debuginfo-0.21-3.cm2.aarch64.rpm -gfortran-11.2.0-7.cm2.aarch64.rpm +gfortran-11.2.0-8.cm2.aarch64.rpm glib-2.71.0-2.cm2.aarch64.rpm glib-debuginfo-2.71.0-2.cm2.aarch64.rpm glib-devel-2.71.0-2.cm2.aarch64.rpm @@ -136,7 +136,7 @@ intltool-0.51.0-7.cm2.noarch.rpm itstool-2.0.6-4.cm2.noarch.rpm kbd-2.2.0-1.cm2.aarch64.rpm kbd-debuginfo-2.2.0-1.cm2.aarch64.rpm -kernel-headers-5.15.145.2-1.cm2.noarch.rpm +kernel-headers-5.15.148.1-1.cm2.noarch.rpm kmod-29-2.cm2.aarch64.rpm kmod-debuginfo-29-2.cm2.aarch64.rpm kmod-devel-29-2.cm2.aarch64.rpm @@ -150,7 +150,7 @@ libarchive-devel-3.6.1-2.cm2.aarch64.rpm libassuan-2.5.5-2.cm2.aarch64.rpm libassuan-debuginfo-2.5.5-2.cm2.aarch64.rpm libassuan-devel-2.5.5-2.cm2.aarch64.rpm -libbacktrace-static-11.2.0-7.cm2.aarch64.rpm +libbacktrace-static-11.2.0-8.cm2.aarch64.rpm libcap-2.60-2.cm2.aarch64.rpm libcap-debuginfo-2.60-2.cm2.aarch64.rpm libcap-devel-2.60-2.cm2.aarch64.rpm @@ -160,14 +160,14 @@ libcap-ng-devel-0.8.2-2.cm2.aarch64.rpm libffi-3.4.2-3.cm2.aarch64.rpm libffi-debuginfo-3.4.2-3.cm2.aarch64.rpm libffi-devel-3.4.2-3.cm2.aarch64.rpm -libgcc-11.2.0-7.cm2.aarch64.rpm -libgcc-atomic-11.2.0-7.cm2.aarch64.rpm -libgcc-devel-11.2.0-7.cm2.aarch64.rpm +libgcc-11.2.0-8.cm2.aarch64.rpm +libgcc-atomic-11.2.0-8.cm2.aarch64.rpm +libgcc-devel-11.2.0-8.cm2.aarch64.rpm libgcrypt-1.10.3-1.cm2.aarch64.rpm libgcrypt-debuginfo-1.10.3-1.cm2.aarch64.rpm libgcrypt-devel-1.10.3-1.cm2.aarch64.rpm -libgomp-11.2.0-7.cm2.aarch64.rpm -libgomp-devel-11.2.0-7.cm2.aarch64.rpm +libgomp-11.2.0-8.cm2.aarch64.rpm +libgomp-devel-11.2.0-8.cm2.aarch64.rpm libgpg-error-1.46-1.cm2.aarch64.rpm libgpg-error-debuginfo-1.46-1.cm2.aarch64.rpm libgpg-error-devel-1.46-1.cm2.aarch64.rpm @@ -199,11 +199,11 @@ libsolv-0.7.24-1.cm2.aarch64.rpm libsolv-debuginfo-0.7.24-1.cm2.aarch64.rpm libsolv-devel-0.7.24-1.cm2.aarch64.rpm libsolv-tools-0.7.24-1.cm2.aarch64.rpm -libssh2-1.9.0-3.cm2.aarch64.rpm -libssh2-debuginfo-1.9.0-3.cm2.aarch64.rpm -libssh2-devel-1.9.0-3.cm2.aarch64.rpm -libstdc++-11.2.0-7.cm2.aarch64.rpm -libstdc++-devel-11.2.0-7.cm2.aarch64.rpm +libssh2-1.9.0-4.cm2.aarch64.rpm +libssh2-debuginfo-1.9.0-4.cm2.aarch64.rpm +libssh2-devel-1.9.0-4.cm2.aarch64.rpm +libstdc++-11.2.0-8.cm2.aarch64.rpm +libstdc++-devel-11.2.0-8.cm2.aarch64.rpm libtasn1-4.19.0-1.cm2.aarch64.rpm libtasn1-debuginfo-4.19.0-1.cm2.aarch64.rpm libtasn1-devel-4.19.0-1.cm2.aarch64.rpm @@ -518,7 +518,7 @@ python3-Cython-0.29.33-1.cm2.aarch64.rpm python3-debuginfo-3.9.14-8.cm2.aarch64.rpm python3-devel-3.9.14-8.cm2.aarch64.rpm python3-gpg-1.16.0-2.cm2.aarch64.rpm -python3-jinja2-3.0.3-2.cm2.noarch.rpm +python3-jinja2-3.0.3-3.cm2.noarch.rpm python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm python3-libs-3.9.14-8.cm2.aarch64.rpm python3-libxml2-2.10.4-2.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 82e470ca37c..3f7ffc40cf3 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -9,20 +9,21 @@ bash-5.1.8-4.cm2.x86_64.rpm bash-debuginfo-5.1.8-4.cm2.x86_64.rpm bash-devel-5.1.8-4.cm2.x86_64.rpm bash-lang-5.1.8-4.cm2.x86_64.rpm -binutils-2.37-7.cm2.x86_64.rpm -binutils-debuginfo-2.37-7.cm2.x86_64.rpm -binutils-devel-2.37-7.cm2.x86_64.rpm +binutils-2.37-8.cm2.x86_64.rpm +binutils-aarch64-linux-gnu-2.37-8.cm2.x86_64.rpm +binutils-debuginfo-2.37-8.cm2.x86_64.rpm +binutils-devel-2.37-8.cm2.x86_64.rpm bison-3.7.6-2.cm2.x86_64.rpm bison-debuginfo-3.7.6-2.cm2.x86_64.rpm bzip2-1.0.8-1.cm2.x86_64.rpm bzip2-debuginfo-1.0.8-1.cm2.x86_64.rpm bzip2-devel-1.0.8-1.cm2.x86_64.rpm bzip2-libs-1.0.8-1.cm2.x86_64.rpm -ca-certificates-2.0.0-14.cm2.noarch.rpm -ca-certificates-base-2.0.0-14.cm2.noarch.rpm -ca-certificates-legacy-2.0.0-14.cm2.noarch.rpm -ca-certificates-shared-2.0.0-14.cm2.noarch.rpm -ca-certificates-tools-2.0.0-14.cm2.noarch.rpm +ca-certificates-2.0.0-15.cm2.noarch.rpm +ca-certificates-base-2.0.0-15.cm2.noarch.rpm +ca-certificates-legacy-2.0.0-15.cm2.noarch.rpm +ca-certificates-shared-2.0.0-15.cm2.noarch.rpm +ca-certificates-tools-2.0.0-15.cm2.noarch.rpm ccache-4.8-1.cm2.x86_64.rpm ccache-debuginfo-4.8-1.cm2.x86_64.rpm check-0.15.2-1.cm2.x86_64.rpm @@ -46,10 +47,12 @@ cracklib-lang-2.9.7-5.cm2.x86_64.rpm createrepo_c-0.17.5-1.cm2.x86_64.rpm createrepo_c-debuginfo-0.17.5-1.cm2.x86_64.rpm createrepo_c-devel-0.17.5-1.cm2.x86_64.rpm -curl-8.5.0-1.cm2.x86_64.rpm -curl-debuginfo-8.5.0-1.cm2.x86_64.rpm -curl-devel-8.5.0-1.cm2.x86_64.rpm -curl-libs-8.5.0-1.cm2.x86_64.rpm +cross-binutils-common-2.37-8.cm2.noarch.rpm +cross-gcc-common-11.2.0-8.cm2.noarch.rpm +curl-8.5.0-2.cm2.x86_64.rpm +curl-debuginfo-8.5.0-2.cm2.x86_64.rpm +curl-devel-8.5.0-2.cm2.x86_64.rpm +curl-libs-8.5.0-2.cm2.x86_64.rpm Cython-debuginfo-0.29.33-1.cm2.x86_64.rpm debugedit-5.0-2.cm2.x86_64.rpm debugedit-debuginfo-5.0-2.cm2.x86_64.rpm @@ -91,16 +94,18 @@ flex-debuginfo-2.6.4-7.cm2.x86_64.rpm flex-devel-2.6.4-7.cm2.x86_64.rpm gawk-5.1.1-1.cm2.x86_64.rpm gawk-debuginfo-5.1.1-1.cm2.x86_64.rpm -gcc-11.2.0-7.cm2.x86_64.rpm -gcc-c++-11.2.0-7.cm2.x86_64.rpm -gcc-debuginfo-11.2.0-7.cm2.x86_64.rpm +gcc-11.2.0-8.cm2.x86_64.rpm +gcc-aarch64-linux-gnu-11.2.0-8.cm2.x86_64.rpm +gcc-c++-11.2.0-8.cm2.x86_64.rpm +gcc-c++-aarch64-linux-gnu-11.2.0-8.cm2.x86_64.rpm +gcc-debuginfo-11.2.0-8.cm2.x86_64.rpm gdbm-1.21-1.cm2.x86_64.rpm gdbm-debuginfo-1.21-1.cm2.x86_64.rpm gdbm-devel-1.21-1.cm2.x86_64.rpm gdbm-lang-1.21-1.cm2.x86_64.rpm gettext-0.21-3.cm2.x86_64.rpm gettext-debuginfo-0.21-3.cm2.x86_64.rpm -gfortran-11.2.0-7.cm2.x86_64.rpm +gfortran-11.2.0-8.cm2.x86_64.rpm glib-2.71.0-2.cm2.x86_64.rpm glib-debuginfo-2.71.0-2.cm2.x86_64.rpm glib-devel-2.71.0-2.cm2.x86_64.rpm @@ -136,7 +141,8 @@ intltool-0.51.0-7.cm2.noarch.rpm itstool-2.0.6-4.cm2.noarch.rpm kbd-2.2.0-1.cm2.x86_64.rpm kbd-debuginfo-2.2.0-1.cm2.x86_64.rpm -kernel-headers-5.15.145.2-1.cm2.noarch.rpm +kernel-cross-headers-5.15.148.1-1.cm2.noarch.rpm +kernel-headers-5.15.148.1-1.cm2.noarch.rpm kmod-29-2.cm2.x86_64.rpm kmod-debuginfo-29-2.cm2.x86_64.rpm kmod-devel-29-2.cm2.x86_64.rpm @@ -150,7 +156,7 @@ libarchive-devel-3.6.1-2.cm2.x86_64.rpm libassuan-2.5.5-2.cm2.x86_64.rpm libassuan-debuginfo-2.5.5-2.cm2.x86_64.rpm libassuan-devel-2.5.5-2.cm2.x86_64.rpm -libbacktrace-static-11.2.0-7.cm2.x86_64.rpm +libbacktrace-static-11.2.0-8.cm2.x86_64.rpm libcap-2.60-2.cm2.x86_64.rpm libcap-debuginfo-2.60-2.cm2.x86_64.rpm libcap-devel-2.60-2.cm2.x86_64.rpm @@ -160,14 +166,14 @@ libcap-ng-devel-0.8.2-2.cm2.x86_64.rpm libffi-3.4.2-3.cm2.x86_64.rpm libffi-debuginfo-3.4.2-3.cm2.x86_64.rpm libffi-devel-3.4.2-3.cm2.x86_64.rpm -libgcc-11.2.0-7.cm2.x86_64.rpm -libgcc-atomic-11.2.0-7.cm2.x86_64.rpm -libgcc-devel-11.2.0-7.cm2.x86_64.rpm +libgcc-11.2.0-8.cm2.x86_64.rpm +libgcc-atomic-11.2.0-8.cm2.x86_64.rpm +libgcc-devel-11.2.0-8.cm2.x86_64.rpm libgcrypt-1.10.3-1.cm2.x86_64.rpm libgcrypt-debuginfo-1.10.3-1.cm2.x86_64.rpm libgcrypt-devel-1.10.3-1.cm2.x86_64.rpm -libgomp-11.2.0-7.cm2.x86_64.rpm -libgomp-devel-11.2.0-7.cm2.x86_64.rpm +libgomp-11.2.0-8.cm2.x86_64.rpm +libgomp-devel-11.2.0-8.cm2.x86_64.rpm libgpg-error-1.46-1.cm2.x86_64.rpm libgpg-error-debuginfo-1.46-1.cm2.x86_64.rpm libgpg-error-devel-1.46-1.cm2.x86_64.rpm @@ -199,11 +205,11 @@ libsolv-0.7.24-1.cm2.x86_64.rpm libsolv-debuginfo-0.7.24-1.cm2.x86_64.rpm libsolv-devel-0.7.24-1.cm2.x86_64.rpm libsolv-tools-0.7.24-1.cm2.x86_64.rpm -libssh2-1.9.0-3.cm2.x86_64.rpm -libssh2-debuginfo-1.9.0-3.cm2.x86_64.rpm -libssh2-devel-1.9.0-3.cm2.x86_64.rpm -libstdc++-11.2.0-7.cm2.x86_64.rpm -libstdc++-devel-11.2.0-7.cm2.x86_64.rpm +libssh2-1.9.0-4.cm2.x86_64.rpm +libssh2-debuginfo-1.9.0-4.cm2.x86_64.rpm +libssh2-devel-1.9.0-4.cm2.x86_64.rpm +libstdc++-11.2.0-8.cm2.x86_64.rpm +libstdc++-devel-11.2.0-8.cm2.x86_64.rpm libtasn1-4.19.0-1.cm2.x86_64.rpm libtasn1-debuginfo-4.19.0-1.cm2.x86_64.rpm libtasn1-devel-4.19.0-1.cm2.x86_64.rpm @@ -518,7 +524,7 @@ python3-Cython-0.29.33-1.cm2.x86_64.rpm python3-debuginfo-3.9.14-8.cm2.x86_64.rpm python3-devel-3.9.14-8.cm2.x86_64.rpm python3-gpg-1.16.0-2.cm2.x86_64.rpm -python3-jinja2-3.0.3-2.cm2.noarch.rpm +python3-jinja2-3.0.3-3.cm2.noarch.rpm python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm python3-libs-3.9.14-8.cm2.x86_64.rpm python3-libxml2-2.10.4-2.cm2.x86_64.rpm diff --git a/toolkit/scripts/mariner-required-configs.json b/toolkit/scripts/mariner-required-configs.json index ba7d127bb12..87c7f7b480d 100644 --- a/toolkit/scripts/mariner-required-configs.json +++ b/toolkit/scripts/mariner-required-configs.json @@ -1348,6 +1348,18 @@ "PR": [ "https://github.com/microsoft/CBL-Mariner/pull/7280" ] + }, + "CONFIG_X86_IOPL_IOPERM": { + "value": [ + "y" + ], + "arch": [ + "AMD64" + ], + "comment": "Needed for customer", + "PR": [ + "https://github.com/microsoft/CBL-Mariner/pull/7181" + ] } } } diff --git a/toolkit/scripts/pkggen.mk b/toolkit/scripts/pkggen.mk index f06dd99da91..1ad8057628b 100644 --- a/toolkit/scripts/pkggen.mk +++ b/toolkit/scripts/pkggen.mk @@ -233,6 +233,7 @@ $(preprocessed_file): $(cached_file) $(go-graphPreprocessor) ######## PACKAGE BUILD ######## +cache_archive = $(OUT_DIR)/cache.tar.gz pkggen_archive = $(OUT_DIR)/rpms.tar.gz srpms_archive = $(OUT_DIR)/srpms.tar.gz @@ -326,6 +327,10 @@ compress-rpms: tar -cvp -f $(BUILD_DIR)/temp_rpms_tarball.tar.gz -C $(RPMS_DIR)/.. $(notdir $(RPMS_DIR)) mv $(BUILD_DIR)/temp_rpms_tarball.tar.gz $(pkggen_archive) +##help:target:compress-cached-rpms=Compresses all cached RPMs in `build/rpm_cache/cache` into `out/cache.tar.gz`. +compress-cached-rpms: + tar -cvp -f $(cache_archive) -C $(remote_rpms_cache_dir)/.. $(notdir $(remote_rpms_cache_dir)) + ##help:target:compress-srpms=Compresses all SRPMs in `../out/SRPMS` into `../out/srpms.tar.gz`. # use temp tarball to avoid tar warning "file changed as we read it" # that can sporadically occur when tarball is the dir that is compressed @@ -333,7 +338,10 @@ compress-srpms: tar -cvp -f $(BUILD_DIR)/temp_srpms_tarball.tar.gz -C $(SRPMS_DIR)/.. $(notdir $(SRPMS_DIR)) mv $(BUILD_DIR)/temp_srpms_tarball.tar.gz $(srpms_archive) -# Seed the cached RPMs folder files from the archive. +##help:target:hydrate-cached-rpms=Hydrates the external RPMs cache from the `CACHED_PACKAGES_ARCHIVE` file. +# All of the '*.rpm' files inside the archive will be extracted into the cache directory in flat manner. +# Any duplicates inside the archive's subdirectories will be overwritten by the last one. +# Also see the `compress-cached-rpms` target. hydrate-cached-rpms: $(if $(CACHED_PACKAGES_ARCHIVE),,$(error Must set CACHED_PACKAGES_ARCHIVE=)) @mkdir -p $(remote_rpms_cache_dir) diff --git a/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh b/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh index b51f4070c4e..5c120cc1dc7 100755 --- a/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh +++ b/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh @@ -338,7 +338,14 @@ build_rpm_in_chroot_no_install binutils build_rpm_in_chroot_no_install gmp build_rpm_in_chroot_no_install mpfr build_rpm_in_chroot_no_install libmpc + +if [[ $(uname -m) == "x86_64" ]]; then + # Need to install binutils-aarch64-linux-gnu to build gcc + chroot_and_install_rpms cross-binutils-common + chroot_and_install_rpms binutils-aarch64-linux-gnu +fi build_rpm_in_chroot_no_install gcc + build_rpm_in_chroot_no_install ncurses build_rpm_in_chroot_no_install readline build_rpm_in_chroot_no_install bash diff --git a/toolkit/tools/downloader/downloader.go b/toolkit/tools/downloader/downloader.go index 4b6c78059aa..7f00490f581 100644 --- a/toolkit/tools/downloader/downloader.go +++ b/toolkit/tools/downloader/downloader.go @@ -12,7 +12,6 @@ import ( "net/url" "os" "path/filepath" - "time" "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/exe" "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/file" @@ -107,32 +106,24 @@ func main() { } func downloadFile(srcUrl, dstFile string, caCerts *x509.CertPool, tlsCerts []tls.Certificate) (err error) { - const ( - // With 6 attempts, initial delay of 1 second, and a backoff factor of 3.0 the total time spent retrying will be - // 1 + 3 + 9 + 27 + 81 = 121 seconds. - downloadRetryAttempts = 6 - failureBackoffBase = 3.0 - downloadRetryDuration = time.Second - ) cancel := make(chan struct{}) - retryNum := 1 - _, err = retry.RunWithExpBackoff(func() error { + _, err = retry.RunWithDefaultDownloadBackoff(func() error { netErr := network.DownloadFile(srcUrl, dstFile, caCerts, tlsCerts) if netErr != nil { // Check if the error contains the string "invalid response: 404", we should print a warning in that case so the // sees it even if we are running with --no-verbose. 404's are unlikely to fix themselves on retry, give up. if netErr.Error() == "invalid response: 404" { - logger.Log.Warnf("Attempt %d/%d: Failed to download '%s' with error: '%s'", retryNum, downloadRetryAttempts, srcUrl, netErr) + logger.Log.Warnf("Attempt %d/%d: Failed to download '%s' with error: '%s'", retryNum, retry.DefaultDownloadRetryAttempts, srcUrl, netErr) logger.Log.Warnf("404 errors are likely unrecoverable, will not retry") close(cancel) } else { - logger.Log.Infof("Attempt %d/%d: Failed to download '%s' with error: '%s'", retryNum, downloadRetryAttempts, srcUrl, netErr) + logger.Log.Infof("Attempt %d/%d: Failed to download '%s' with error: '%s'", retryNum, retry.DefaultDownloadRetryAttempts, srcUrl, netErr) } } retryNum++ return netErr - }, downloadRetryAttempts, downloadRetryDuration, failureBackoffBase, cancel) + }, cancel) if err != nil { err = fmt.Errorf("failed to download (%s) to (%s). Error:\n%w", srcUrl, dstFile, err) diff --git a/toolkit/tools/go.mod b/toolkit/tools/go.mod index 67f2008725b..ca2a66940ef 100644 --- a/toolkit/tools/go.mod +++ b/toolkit/tools/go.mod @@ -18,7 +18,7 @@ require ( github.com/sirupsen/logrus v1.9.3 github.com/stretchr/testify v1.7.1 github.com/ulikunitz/xz v0.5.10 - golang.org/x/sys v0.14.0 + golang.org/x/sys v0.15.0 gonum.org/v1/gonum v0.14.0 gopkg.in/alecthomas/kingpin.v2 v2.2.6 gopkg.in/ini.v1 v1.67.0 @@ -44,7 +44,7 @@ require ( github.com/pmezard/go-difflib v1.0.0 // indirect github.com/rivo/uniseg v0.1.0 // indirect github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9 // indirect - golang.org/x/crypto v0.15.0 // indirect + golang.org/x/crypto v0.17.0 // indirect golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 // indirect golang.org/x/net v0.18.0 // indirect golang.org/x/text v0.14.0 // indirect diff --git a/toolkit/tools/go.sum b/toolkit/tools/go.sum index ccbe391c3fa..cf51ddf7ac7 100644 --- a/toolkit/tools/go.sum +++ b/toolkit/tools/go.sum @@ -81,8 +81,8 @@ github.com/ulikunitz/xz v0.5.10 h1:t92gobL9l3HE202wg3rlk19F6X+JOxl9BBrCCMYEYd8= github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9 h1:w8V9v0qVympSF6GjdjIyeqR7+EVhAF9CBQmkmW7Zw0w= github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8= -golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA= -golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g= +golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= +golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 h1:mchzmB1XO2pMaKFRqk/+MV3mgGG96aqaPXaMifQU47w= golang.org/x/exp v0.0.0-20231108232855-2478ac86f678/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE= golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg= @@ -92,8 +92,8 @@ golang.org/x/sys v0.0.0-20191018095205-727590c5006e/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q= -golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= diff --git a/toolkit/tools/imageconfigvalidator/imageconfigvalidator.go b/toolkit/tools/imageconfigvalidator/imageconfigvalidator.go index da74981241c..1c150de5ca4 100644 --- a/toolkit/tools/imageconfigvalidator/imageconfigvalidator.go +++ b/toolkit/tools/imageconfigvalidator/imageconfigvalidator.go @@ -119,6 +119,7 @@ func validatePackages(config configuration.Config) (err error) { verityDebugPkgName = "verity-read-only-root-debug-tools" dracutFipsPkgName = "dracut-fips" fipsKernelCmdLine = "fips=1" + userAddPkgName = "shadow-utils" ) for _, systemConfig := range config.SystemConfigs { @@ -130,6 +131,7 @@ func validatePackages(config configuration.Config) (err error) { foundVerityInitramfsPackage := false foundVerityInitramfsDebugPackage := false foundDracutFipsPackage := false + foundUserAddPackage := false kernelCmdLineString := systemConfig.KernelCommandLine.ExtraCommandLine selinuxPkgName := systemConfig.KernelCommandLine.SELinuxPolicy if selinuxPkgName == "" { @@ -152,6 +154,9 @@ func validatePackages(config configuration.Config) (err error) { if pkg == selinuxPkgName { foundSELinuxPackage = true } + if pkg == userAddPkgName { + foundUserAddPackage = true + } } if systemConfig.ReadOnlyVerityRoot.Enable { if !foundVerityInitramfsPackage { @@ -171,6 +176,11 @@ func validatePackages(config configuration.Config) (err error) { return fmt.Errorf("%s: [SELinux] selected, but '%s' package is not included in the package lists", validateError, selinuxPkgName) } } + if len(systemConfig.Users) > 0 || len(systemConfig.Groups) > 0 { + if !foundUserAddPackage { + return fmt.Errorf("%s: add users require '%s' package that is not included in the package lists", validateError, userAddPkgName) + } + } } return diff --git a/toolkit/tools/imagecustomizer/docs/cli.md b/toolkit/tools/imagecustomizer/docs/cli.md index 0d627e47d2f..ed802049200 100644 --- a/toolkit/tools/imagecustomizer/docs/cli.md +++ b/toolkit/tools/imagecustomizer/docs/cli.md @@ -29,12 +29,12 @@ The file path to write the final customized image to. ## --output-image-format=FORMAT -Required. - The image format of the the final customized image. Options: vhd, vhdx, qcow2, and raw. +At least one of --output-image-format and --output-split-partitions-format is required. + ## --output-split-partitions-format=FORMAT Format of partition files. If specified, disk partitions will be extracted as separate files. diff --git a/toolkit/tools/imagecustomizer/main.go b/toolkit/tools/imagecustomizer/main.go index 081abbd6723..54d467a4e15 100644 --- a/toolkit/tools/imagecustomizer/main.go +++ b/toolkit/tools/imagecustomizer/main.go @@ -21,7 +21,7 @@ var ( buildDir = app.Flag("build-dir", "Directory to run build out of.").Required().String() imageFile = app.Flag("image-file", "Path of the base CBL-Mariner image which the customization will be applied to.").Required().String() outputImageFile = app.Flag("output-image-file", "Path to write the customized image to.").Required().String() - outputImageFormat = app.Flag("output-image-format", "Format of output image. Supported: vhd, vhdx, qcow2, raw.").Required().Enum("vhd", "vhdx", "qcow2", "raw") + outputImageFormat = app.Flag("output-image-format", "Format of output image. Supported: vhd, vhdx, qcow2, raw.").Enum("vhd", "vhdx", "qcow2", "raw") outputSplitPartitionsFormat = app.Flag("output-split-partitions-format", "Format of partition files. Supported: raw, raw-zstd").Enum("raw", "raw-zstd") configFile = app.Flag("config-file", "Path of the image customization config file.").Required().String() rpmSources = app.Flag("rpm-source", "Path to a RPM repo config file or a directory containing RPMs.").Strings() @@ -37,6 +37,9 @@ func main() { app.Version(imagecustomizerlib.ToolVersion) kingpin.MustParse(app.Parse(os.Args[1:])) + if *outputSplitPartitionsFormat == "" && *outputImageFormat == "" { + kingpin.Fatalf("Either --output-image-format or --output-split-partitions-format must be specified.") + } logger.InitBestEffort(*logFile, *logLevel) diff --git a/toolkit/tools/imagecustomizerapi/user.go b/toolkit/tools/imagecustomizerapi/user.go index 9eacff73943..b09a56c3685 100644 --- a/toolkit/tools/imagecustomizerapi/user.go +++ b/toolkit/tools/imagecustomizerapi/user.go @@ -17,6 +17,7 @@ type User struct { PasswordPath string `yaml:"PasswordPath"` PasswordExpiresDays *int64 `yaml:"PasswordExpiresDays"` SSHPubKeyPaths []string `yaml:"SSHPubKeyPaths"` + SSHPubKeys []string `yaml:"SSHPubKeys"` PrimaryGroup string `yaml:"PrimaryGroup"` SecondaryGroups []string `yaml:"SecondaryGroups"` StartupCommand string `yaml:"StartupCommand"` diff --git a/toolkit/tools/imagegen/configuration/user.go b/toolkit/tools/imagegen/configuration/user.go index 330f2cf4b39..f1cdfd0da34 100644 --- a/toolkit/tools/imagegen/configuration/user.go +++ b/toolkit/tools/imagegen/configuration/user.go @@ -21,6 +21,7 @@ type User struct { Password string `json:"Password"` PasswordExpiresDays int64 `json:"PasswordExpiresDays"` SSHPubKeyPaths []string `json:"SSHPubKeyPaths"` + SSHPubKeys []string `json:"SSHPubKeys"` PrimaryGroup string `json:"PrimaryGroup"` SecondaryGroups []string `json:"SecondaryGroups"` StartupCommand string `json:"StartupCommand"` diff --git a/toolkit/tools/imagegen/diskutils/diskutils.go b/toolkit/tools/imagegen/diskutils/diskutils.go index 5562b68f1fe..20704d8acd7 100644 --- a/toolkit/tools/imagegen/diskutils/diskutils.go +++ b/toolkit/tools/imagegen/diskutils/diskutils.go @@ -22,6 +22,19 @@ import ( "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/shell" ) +var ( + // When calling mkfs, the default options change depending on the host OS you are running on and typically match + // what the distro has decided is best for their OS. For example, for ext2/3/4, the defaults are stored in + // /etc/mke2fs.conf. + // However, when building Mariner images, the defaults should be as consistent as possible and should only contain + // features that are supported on Mariner. + DefaultMkfsOptions = map[string][]string{ + "ext2": {"-b", "4096", "-O", "none,sparse_super,large_file,filetype,resize_inode,dir_index,ext_attr"}, + "ext3": {"-b", "4096", "-O", "none,sparse_super,large_file,filetype,resize_inode,dir_index,ext_attr,has_journal"}, + "ext4": {"-b", "4096", "-O", "none,sparse_super,large_file,filetype,resize_inode,dir_index,ext_attr,has_journal,extent,huge_file,flex_bg,metadata_csum,64bit,dir_nlink,extra_isize"}, + } +) + type blockDevicesOutput struct { Devices []blockDeviceInfo `json:"blockdevices"` } @@ -412,7 +425,7 @@ func WaitForDevicesToSettle() error { // CreatePartitions creates partitions on the specified disk according to the disk config func CreatePartitions(diskDevPath string, disk configuration.Disk, rootEncryption configuration.RootEncryption, - readOnlyRootConfig configuration.ReadOnlyVerityRoot, mkfsOptions map[string][]string, + readOnlyRootConfig configuration.ReadOnlyVerityRoot, ) (partDevPathMap map[string]string, partIDToFsTypeMap map[string]string, encryptedRoot EncryptedRootDevice, readOnlyRoot VerityDevice, err error) { const timeoutInSeconds = "5" partDevPathMap = make(map[string]string) @@ -461,7 +474,7 @@ func CreatePartitions(diskDevPath string, disk configuration.Disk, rootEncryptio return partDevPathMap, partIDToFsTypeMap, encryptedRoot, readOnlyRoot, err } - partFsType, err := FormatSinglePartition(partDevPath, partition, mkfsOptions) + partFsType, err := FormatSinglePartition(partDevPath, partition) if err != nil { logger.Log.Warnf("Failed to format partition") return partDevPathMap, partIDToFsTypeMap, encryptedRoot, readOnlyRoot, err @@ -654,7 +667,7 @@ func InitializeSinglePartition(diskDevPath string, partitionNumber int, partitio } // FormatSinglePartition formats the given partition to the type specified in the partition configuration -func FormatSinglePartition(partDevPath string, partition configuration.Partition, mkfsOptions map[string][]string, +func FormatSinglePartition(partDevPath string, partition configuration.Partition, ) (fsType string, err error) { const ( totalAttempts = 5 @@ -668,7 +681,7 @@ func FormatSinglePartition(partDevPath string, partition configuration.Partition // To handle such cases, we can retry the command. switch fsType { case "fat32", "fat16", "vfat", "ext2", "ext3", "ext4", "xfs": - mkfsOptions := mkfsOptions[fsType] + mkfsOptions := DefaultMkfsOptions[fsType] if fsType == "fat32" || fsType == "fat16" { fsType = "vfat" diff --git a/toolkit/tools/imagegen/installutils/installutils.go b/toolkit/tools/imagegen/installutils/installutils.go index b4e62a0d774..02217f2cbab 100644 --- a/toolkit/tools/imagegen/installutils/installutils.go +++ b/toolkit/tools/imagegen/installutils/installutils.go @@ -387,7 +387,8 @@ func PopulateInstallRoot(installChroot *safechroot.Chroot, packagesToInstall []s defer timestamp.StopEvent(nil) const ( - filesystemPkg = "filesystem" + filesystemPkg = "filesystem" + shadowUtilsPkg = "shadow-utils" ) defer stopGPGAgent(installChroot) @@ -439,6 +440,14 @@ func PopulateInstallRoot(installChroot *safechroot.Chroot, packagesToInstall []s if err != nil { return } + if len(config.Users) > 0 || len(config.Groups) > 0 { + shadowUtilsInstalled := 0 + shadowUtilsInstalled, err = TdnfInstallWithProgress(shadowUtilsPkg, installRoot, packagesInstalled, totalPackages, true) + if err != nil { + return + } + packagesInstalled += shadowUtilsInstalled + } hostname := config.Hostname if !isRootFS && mountPointToFsTypeMap[rootMountPoint] != overlay { @@ -449,6 +458,18 @@ func PopulateInstallRoot(installChroot *safechroot.Chroot, packagesToInstall []s } } + // Add groups + err = addGroups(installChroot, config.Groups) + if err != nil { + return + } + + // Add users + err = addUsers(installChroot, config.Users) + if err != nil { + return + } + // Install packages one-by-one to avoid exhausting memory // on low resource systems for _, pkg := range packagesToInstall { @@ -473,18 +494,6 @@ func PopulateInstallRoot(installChroot *safechroot.Chroot, packagesToInstall []s if err != nil { return } - - // Add groups - err = addGroups(installChroot, config.Groups) - if err != nil { - return - } - } - - // Add users - err = addUsers(installChroot, config.Users) - if err != nil { - return } // Add machine-id @@ -1242,7 +1251,7 @@ func addUsers(installChroot *safechroot.Chroot, users []configuration.User) (err return } - err = ProvisionUserSSHCerts(installChroot, user.Name, user.SSHPubKeyPaths) + err = ProvisionUserSSHCerts(installChroot, user.Name, user.SSHPubKeyPaths, user.SSHPubKeys) if err != nil { return } @@ -1477,7 +1486,7 @@ func ConfigureUserStartupCommand(installChroot safechroot.ChrootInterface, usern return } -func ProvisionUserSSHCerts(installChroot safechroot.ChrootInterface, username string, sshPubKeyPaths []string) (err error) { +func ProvisionUserSSHCerts(installChroot safechroot.ChrootInterface, username string, sshPubKeyPaths []string, sshPubKeys []string) (err error) { var ( pubKeyData []string exists bool @@ -1489,7 +1498,7 @@ func ProvisionUserSSHCerts(installChroot safechroot.ChrootInterface, username st // Skip user SSH directory generation when not provided with public keys // Let SSH handle the creation of this folder on its first use - if len(sshPubKeyPaths) == 0 { + if len(sshPubKeyPaths) == 0 && len(sshPubKeys) == 0 { return } @@ -1518,8 +1527,10 @@ func ProvisionUserSSHCerts(installChroot safechroot.ChrootInterface, username st } defer os.Remove(authorizedKeysTempFile) + allSSHKeys := make([]string, 0, len(sshPubKeyPaths)+len(sshPubKeys)) + + // Add SSH keys from sshPubKeyPaths for _, pubKey := range sshPubKeyPaths { - logger.Log.Infof("Adding ssh key (%s) to user (%s)", filepath.Base(pubKey), username) relativeDst := filepath.Join(userSSHKeyDir, filepath.Base(pubKey)) fileToCopy := safechroot.FileToCopy{ @@ -1532,21 +1543,26 @@ func ProvisionUserSSHCerts(installChroot safechroot.ChrootInterface, username st return } - logger.Log.Infof("Adding ssh key (%s) to user (%s) .ssh/authorized_users", filepath.Base(pubKey), username) pubKeyData, err = file.ReadLines(pubKey) if err != nil { logger.Log.Warnf("Failed to read from SSHPubKey : %v", err) return } - // Append to the tmp/authorized_users file - for _, sshkey := range pubKeyData { - sshkey += "\n" - err = file.Append(sshkey, authorizedKeysTempFile) - if err != nil { - logger.Log.Warnf("Failed to append to %s : %v", authorizedKeysTempFile, err) - return - } + allSSHKeys = append(allSSHKeys, pubKeyData...) + } + + // Add direct SSH keys + allSSHKeys = append(allSSHKeys, sshPubKeys...) + + for _, pubKey := range allSSHKeys { + logger.Log.Infof("Adding ssh key (%s) to user (%s) .ssh/authorized_users", filepath.Base(pubKey), username) + pubKey += "\n" + + err = file.Append(pubKey, authorizedKeysTempFile) + if err != nil { + logger.Log.Warnf("Failed to append to %s : %v", authorizedKeysTempFile, err) + return } } diff --git a/toolkit/tools/imagegen/installutils/installutils_test.go b/toolkit/tools/imagegen/installutils/installutils_test.go index 00643068926..bde3406a350 100644 --- a/toolkit/tools/imagegen/installutils/installutils_test.go +++ b/toolkit/tools/imagegen/installutils/installutils_test.go @@ -71,7 +71,7 @@ func TestCopyAdditionalFiles(t *testing.T) { proposedDir := filepath.Join(tmpDir, "TestCopyAdditionalFiles") chroot := safechroot.NewChroot(proposedDir, false) - err := chroot.Initialize("", []string{}, []*safechroot.MountPoint{}) + err := chroot.Initialize("", []string{}, []*safechroot.MountPoint{}, true) assert.NoError(t, err) defer chroot.Close(false) diff --git a/toolkit/tools/imager/imager.go b/toolkit/tools/imager/imager.go index 3e29d02c97b..06d2ea5fc71 100644 --- a/toolkit/tools/imager/imager.go +++ b/toolkit/tools/imager/imager.go @@ -244,7 +244,7 @@ func buildSystemConfig(systemConfig configuration.SystemConfig, disks []configur extraMountPoints = append(extraMountPoints, additionalExtraMountPoints...) setupChroot := safechroot.NewChroot(setupChrootDir, existingChrootDir) - err = setupChroot.Initialize(*tdnfTar, extraDirectories, extraMountPoints) + err = setupChroot.Initialize(*tdnfTar, extraDirectories, extraMountPoints, true) if err != nil { logger.Log.Error("Failed to create setup chroot") return @@ -417,7 +417,7 @@ func setupLoopDeviceDisk(outputDir, diskName string, diskConfig configuration.Di func setupRealDisk(diskDevPath string, diskConfig configuration.Disk, rootEncryption configuration.RootEncryption, readOnlyRootConfig configuration.ReadOnlyVerityRoot) (partIDToDevPathMap, partIDToFsTypeMap map[string]string, encryptedRoot diskutils.EncryptedRootDevice, readOnlyRoot diskutils.VerityDevice, err error) { // Set up partitions - partIDToDevPathMap, partIDToFsTypeMap, encryptedRoot, readOnlyRoot, err = diskutils.CreatePartitions(diskDevPath, diskConfig, rootEncryption, readOnlyRootConfig, nil) + partIDToDevPathMap, partIDToFsTypeMap, encryptedRoot, readOnlyRoot, err = diskutils.CreatePartitions(diskDevPath, diskConfig, rootEncryption, readOnlyRootConfig) if err != nil { logger.Log.Errorf("Failed to create partitions on disk (%s)", diskDevPath) return @@ -562,7 +562,7 @@ func buildImage(mountPointMap, mountPointToFsTypeMap, mountPointToMountArgsMap, installChroot := safechroot.NewChroot(installRoot, existingChrootDir) extraInstallMountPoints := []*safechroot.MountPoint{} extraDirectories := []string{} - err = installChroot.Initialize(emptyWorkerTar, extraDirectories, extraInstallMountPoints) + err = installChroot.Initialize(emptyWorkerTar, extraDirectories, extraInstallMountPoints, true) if err != nil { err = fmt.Errorf("failed to create install chroot: %s", err) return diff --git a/toolkit/tools/internal/packagerepo/repocloner/rpmrepocloner/rpmrepocloner.go b/toolkit/tools/internal/packagerepo/repocloner/rpmrepocloner/rpmrepocloner.go index e8cec97152a..c10bbcf1e10 100644 --- a/toolkit/tools/internal/packagerepo/repocloner/rpmrepocloner/rpmrepocloner.go +++ b/toolkit/tools/internal/packagerepo/repocloner/rpmrepocloner/rpmrepocloner.go @@ -9,6 +9,7 @@ import ( "io" "os" "path/filepath" + "regexp" "strings" "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/buildpipeline" @@ -16,6 +17,7 @@ import ( "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/packagerepo/repocloner" "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/packagerepo/repomanager/rpmrepomanager" "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/pkgjson" + "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/retry" "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/safechroot" "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/shell" "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/tdnf" @@ -50,6 +52,11 @@ const ( useMultipleTransactions = !useSingleTransaction ) +var ( + serverErrorsRegex = regexp.MustCompile(`(?m)Error: (5\d{2}) when downloading`) + serverErrorCodeIndex = 1 +) + // RpmRepoCloner represents an RPM repository cloner. type RpmRepoCloner struct { chroot *safechroot.Chroot @@ -165,7 +172,7 @@ func (r *RpmRepoCloner) initialize(destinationDir, tmpDir, workerTar, existingRp // Also request that /overlaywork is created before any chroot mounts happen so the overlay can // be created successfully - err = r.chroot.Initialize(workerTar, overlayExtraDirs, extraMountPoints) + err = r.chroot.Initialize(workerTar, overlayExtraDirs, extraMountPoints, true) if err != nil { r.chroot = nil return @@ -597,11 +604,6 @@ func (r *RpmRepoCloner) Close() error { // clonePackage clones a given package using pre-populated arguments. // It will gradually enable more repos to consider until the package is found. func (r *RpmRepoCloner) clonePackage(baseArgs []string) (preBuilt bool, err error) { - const ( - unresolvedOutputPrefix = "No package" - toyboxConflictsPrefix = "toybox conflicts" - unresolvedOutputPostfix = "available" - ) releaseverCliArg, err := tdnf.GetReleaseverCliArg() if err != nil { @@ -615,40 +617,23 @@ func (r *RpmRepoCloner) clonePackage(baseArgs []string) (preBuilt bool, err erro finalArgs := append(baseArgs, reposArgs...) - var ( - stdout string - stderr string - ) - stdout, stderr, err = shell.Execute("tdnf", finalArgs...) - - logger.Log.Debugf("stdout: %s", stdout) - logger.Log.Debugf("stderr: %s", stderr) - - if err != nil { - logger.Log.Debugf("tdnf error (will continue if the only errors are toybox conflicts):\n '%s'", stderr) - } - - // ============== TDNF SPECIFIC IMPLEMENTATION ============== - // Check if TDNF could not resolve a given package. If TDNF does not find a requested package, - // it will not error. Instead it will print a message to stdout. Check for this message. - // - // *NOTE*: TDNF will attempt best effort. If N packages are requested, and 1 cannot be found, - // it will still download N-1 packages while also printing the message. - splitStdout := strings.Split(stdout, "\n") - for _, line := range splitStdout { - trimmedLine := strings.TrimSpace(line) - // Toybox conflicts are a known issue, reset the err value if encountered - if strings.HasPrefix(trimmedLine, toyboxConflictsPrefix) { - logger.Log.Warn("Ignoring known toybox conflict") - err = nil - continue - } - // If a package was not available, update err - if strings.HasPrefix(trimmedLine, unresolvedOutputPrefix) && strings.HasSuffix(trimmedLine, unresolvedOutputPostfix) { - err = fmt.Errorf(trimmedLine) - break + // We run in a retry loop on errors deemed retriable. + cancel := make(chan struct{}) + retryNum := 1 + _, err = retry.RunWithDefaultDownloadBackoff(func() error { + downloadErr, retriable := tdnfDownload(finalArgs...) + if downloadErr != nil { + if retriable { + logger.Log.Debugf("Package cloning attempt %d/%d failed with a retriable error.", retryNum, retry.DefaultDownloadRetryAttempts) + } else { + logger.Log.Debugf("Package cloning attempt %d/%d failed with an unrecoverable error. Cancelling.", retryNum, retry.DefaultDownloadRetryAttempts) + close(cancel) + } } - } + + retryNum++ + return downloadErr + }, cancel) if err == nil { preBuilt = r.reposArgsHaveOnlyLocalSources(reposArgs) @@ -809,3 +794,50 @@ func (r *RpmRepoCloner) reposArgsHaveOnlyLocalSources(reposArgs []string) bool { return true } + +func tdnfDownload(args ...string) (err error, retriable bool) { + const ( + unresolvedOutputPrefix = "No package" + unresolvedOutputSuffix = "available" + ) + + stdout, stderr, err := shell.Execute("tdnf", args...) + + logger.Log.Debugf("stdout: %s", stdout) + logger.Log.Debugf("stderr: %s", stderr) + + // ============== TDNF SPECIFIC IMPLEMENTATION ============== + // + // Check if TDNF could not resolve a given package. If TDNF does not find a requested package, + // it will not error. Instead it will print a message to stdout. Check for this message. + // + // *NOTE*: TDNF will attempt best effort. If N packages are requested, and 1 cannot be found, + // it will still download N-1 packages while also printing the message. + splitStdout := strings.Split(stdout, "\n") + for _, line := range splitStdout { + trimmedLine := strings.TrimSpace(line) + // If a package was not available, update err + if strings.HasPrefix(trimmedLine, unresolvedOutputPrefix) && strings.HasSuffix(trimmedLine, unresolvedOutputSuffix) { + err = fmt.Errorf(trimmedLine) + return + } + } + + // + // *NOTE*: There are cases in which some of our upstream package repositories are hosted + // on services that are prone to intermittent errors (e.g., HTTP 502 errors). We + // specifically look for such known cases and apply some retry logic in hopes of getting + // a better result; note that we don't indiscriminately retry because there are legitimate + // cases in which the upstream repo doesn't contain the package and a 404 error is to be + // expected. This involves scraping through stderr, but it's better than not doing so. + // + if err != nil { + serverErrorMatch := serverErrorsRegex.FindStringSubmatch(stderr) + if len(serverErrorMatch) > serverErrorCodeIndex { + logger.Log.Debugf("Encountered possibly intermittent HTTP %s error.", serverErrorMatch[serverErrorCodeIndex]) + retriable = true + } + } + + return +} diff --git a/toolkit/tools/internal/packagerepo/repoutils/repoquery.go b/toolkit/tools/internal/packagerepo/repoutils/repoquery.go index 515682a25ea..49e6072f7b9 100644 --- a/toolkit/tools/internal/packagerepo/repoutils/repoquery.go +++ b/toolkit/tools/internal/packagerepo/repoutils/repoquery.go @@ -112,7 +112,7 @@ func createChroot(workerTar, chrootDir string, leaveChrootOnDisk bool) (queryChr logger.Log.Info("Creating chroot for repoquery") queryChroot = safechroot.NewChroot(chrootDir, false) - err = queryChroot.Initialize(workerTar, nil, nil) + err = queryChroot.Initialize(workerTar, nil, nil, true) if err != nil { err = fmt.Errorf("failed to initialize chroot:\n%w", err) return diff --git a/toolkit/tools/internal/retry/retry.go b/toolkit/tools/internal/retry/retry.go index dd218ec2ab0..5e218f55378 100644 --- a/toolkit/tools/internal/retry/retry.go +++ b/toolkit/tools/internal/retry/retry.go @@ -8,6 +8,14 @@ import ( "time" ) +const ( + // With 5 attempts (4 retries) and a backoff factor of 2 seconds the total time spent retrying will be approximately: + // 1 + 4 + 8 + 16 = 31 seconds. + DefaultDownloadBackoffBase = 2.0 + DefaultDownloadRetryAttempts = 5 + DefaultDownloadRetryDuration = time.Second +) + // calculateDelay calculates the delay for the given failure count, sleep duration, and backoff exponent base. // If the base is positive, it will calculate an exponential backoff. func calculateExpDelay(failCount int, sleep time.Duration, backoffExponentBase float64) time.Duration { @@ -83,6 +91,14 @@ func RunWithLinearBackoff(function func() error, attempts int, sleep time.Durati }, attempts, cancel) } +// RunWithDefaultDownloadBackoff runs function up to 'DefaultDownloadRetryAttempts' times, waiting 'DefaultDownloadBackoffBase^(i-1)' seconds before +// each i-th attempt. An optional cancel channel can be provided to cancel the retry loop immediately by closing the channel. +// +// The function is meant as a default for network download operations. +func RunWithDefaultDownloadBackoff(function func() error, cancel <-chan struct{}) (wasCancelled bool, err error) { + return RunWithExpBackoff(function, DefaultDownloadRetryAttempts, DefaultDownloadRetryDuration, DefaultDownloadBackoffBase, cancel) +} + // RunWithExpBackoff runs function up to 'attempts' times, waiting 'backoffExponentBase^(i-1) * sleep' duration before // each i-th attempt. An optional cancel channel can be provided to cancel the retry loop immediately by closing the channel. func RunWithExpBackoff(function func() error, attempts int, sleep time.Duration, backoffExponentBase float64, cancel <-chan struct{}) (wasCancelled bool, err error) { diff --git a/toolkit/tools/internal/safechroot/safechroot.go b/toolkit/tools/internal/safechroot/safechroot.go index eca2505b088..ef86591a7e4 100644 --- a/toolkit/tools/internal/safechroot/safechroot.go +++ b/toolkit/tools/internal/safechroot/safechroot.go @@ -173,7 +173,9 @@ func NewChroot(rootDir string, isExistingDir bool) *Chroot { // // This call will block until the chroot initializes successfully. // Only one Chroot will initialize at a given time. -func (c *Chroot) Initialize(tarPath string, extraDirectories []string, extraMountPoints []*MountPoint) (err error) { +func (c *Chroot) Initialize(tarPath string, extraDirectories []string, extraMountPoints []*MountPoint, + includeDefaultMounts bool, +) (err error) { // On failed initialization, cleanup all chroot files const leaveChrootOnDisk = false @@ -256,7 +258,9 @@ func (c *Chroot) Initialize(tarPath string, extraDirectories []string, extraMoun } } - allMountPoints = append(allMountPoints, defaultMountPoints()...) + if includeDefaultMounts { + allMountPoints = append(allMountPoints, defaultMountPoints()...) + } for _, mountPoint := range extraMountPoints { if !mountPoint.mountBeforeDefaults { diff --git a/toolkit/tools/internal/safechroot/safechroot_test.go b/toolkit/tools/internal/safechroot/safechroot_test.go index d038270c256..c9e19d99f70 100644 --- a/toolkit/tools/internal/safechroot/safechroot_test.go +++ b/toolkit/tools/internal/safechroot/safechroot_test.go @@ -56,7 +56,7 @@ func TestInitializeShouldCreateRoot(t *testing.T) { dir := filepath.Join(t.TempDir(), "TestInitializeShouldCreateRoot") chroot := NewChroot(dir, isExistingDir) - err := chroot.Initialize(emptyPath, extraDirectories, extraMountPoints) + err := chroot.Initialize(emptyPath, extraDirectories, extraMountPoints, true) assert.NoError(t, err) defer chroot.Close(defaultLeaveOnDisk) @@ -72,7 +72,7 @@ func TestCloseShouldRemoveRoot(t *testing.T) { dir := filepath.Join(t.TempDir(), "TestCloseShouldRemoveRoot") chroot := NewChroot(dir, isExistingDir) - err := chroot.Initialize(emptyPath, extraDirectories, extraMountPoints) + err := chroot.Initialize(emptyPath, extraDirectories, extraMountPoints, true) assert.NoError(t, err) // save away chroot location and close @@ -102,7 +102,7 @@ func TestCloseShouldLeaveRootOnRequest(t *testing.T) { dir := filepath.Join(t.TempDir(), "TestCloseShouldLeaveRootOnRequest") chroot := NewChroot(dir, isExistingDir) - err := chroot.Initialize(emptyPath, extraDirectories, extraMountPoints) + err := chroot.Initialize(emptyPath, extraDirectories, extraMountPoints, true) assert.NoError(t, err) err = chroot.Close(leaveOnDisk) @@ -134,7 +134,7 @@ func TestRunShouldReturnCorrectError(t *testing.T) { dir := filepath.Join(t.TempDir(), "TestRunShouldReturnCorrectError") chroot := NewChroot(dir, isExistingDir) - err := chroot.Initialize(emptyPath, extraDirectories, extraMountPoints) + err := chroot.Initialize(emptyPath, extraDirectories, extraMountPoints, true) assert.NoError(t, err) defer chroot.Close(defaultLeaveOnDisk) @@ -153,7 +153,7 @@ func TestRunShouldChangeCWD(t *testing.T) { dir := filepath.Join(t.TempDir(), "TestRunShouldChangeCWD") chroot := NewChroot(dir, isExistingDir) - err := chroot.Initialize(emptyPath, extraDirectories, extraMountPoints) + err := chroot.Initialize(emptyPath, extraDirectories, extraMountPoints, true) assert.NoError(t, err) defer chroot.Close(defaultLeaveOnDisk) @@ -178,7 +178,7 @@ func TestShouldRestoreCWD(t *testing.T) { dir := filepath.Join(t.TempDir(), "TestShouldRestoreCWD") chroot := NewChroot(dir, isExistingDir) - err := chroot.Initialize(emptyPath, extraDirectories, extraMountPoints) + err := chroot.Initialize(emptyPath, extraDirectories, extraMountPoints, true) assert.NoError(t, err) defer chroot.Close(defaultLeaveOnDisk) @@ -205,7 +205,7 @@ func TestInitializeShouldExtractTar(t *testing.T) { dir := filepath.Join(t.TempDir(), "TestInitializeShouldExtractTar") chroot := NewChroot(dir, isExistingDir) - err := chroot.Initialize(tarPath, extraDirectories, extraMountPoints) + err := chroot.Initialize(tarPath, extraDirectories, extraMountPoints, true) assert.NoError(t, err) defer chroot.Close(defaultLeaveOnDisk) @@ -228,7 +228,7 @@ func TestInitializeShouldCreateCustomMountPoints(t *testing.T) { dir := filepath.Join(t.TempDir(), "TestInitializeShouldCreateCustomMountPoints") chroot := NewChroot(dir, isExistingDir) - err := chroot.Initialize(emptyPath, extraDirectories, extraMountPoints) + err := chroot.Initialize(emptyPath, extraDirectories, extraMountPoints, true) assert.NoError(t, err) defer chroot.Close(defaultLeaveOnDisk) @@ -251,7 +251,7 @@ func TestInitializeShouldCleanupOnBadMountPoint(t *testing.T) { dir := filepath.Join(t.TempDir(), "TestInitializeShouldCleanupOnBadMountPoint") chroot := NewChroot(dir, isExistingDir) - err := chroot.Initialize(emptyPath, extraDirectories, extraMountPoints) + err := chroot.Initialize(emptyPath, extraDirectories, extraMountPoints, true) assert.Error(t, err) _, err = os.Stat(dir) @@ -268,7 +268,7 @@ func TestInitializeShouldCreateExtraDirectories(t *testing.T) { dir := filepath.Join(t.TempDir(), "TestInitializeShouldCreateExtraDirectories") chroot := NewChroot(dir, isExistingDir) - err := chroot.Initialize(emptyPath, extraDirectories, extraMountPoints) + err := chroot.Initialize(emptyPath, extraDirectories, extraMountPoints, true) assert.NoError(t, err) defer chroot.Close(defaultLeaveOnDisk) diff --git a/toolkit/tools/internal/safemount/safemount_test.go b/toolkit/tools/internal/safemount/safemount_test.go index d580f032fef..2084b05212e 100644 --- a/toolkit/tools/internal/safemount/safemount_test.go +++ b/toolkit/tools/internal/safemount/safemount_test.go @@ -67,7 +67,7 @@ func TestResourceBusy(t *testing.T) { // Set up partitions. _, _, _, _, err = diskutils.CreatePartitions(loopback.DevicePath(), diskConfig, - configuration.RootEncryption{}, configuration.ReadOnlyVerityRoot{}, nil) + configuration.RootEncryption{}, configuration.ReadOnlyVerityRoot{}) if !assert.NoError(t, err, "failed to create partitions on disk", loopback.DevicePath()) { return } diff --git a/toolkit/tools/internal/shell/shell.go b/toolkit/tools/internal/shell/shell.go index 21d0244a423..66df3f56cb8 100644 --- a/toolkit/tools/internal/shell/shell.go +++ b/toolkit/tools/internal/shell/shell.go @@ -144,9 +144,17 @@ func ExecuteLive(squashErrors bool, program string, args ...string) (err error) // ExecuteLiveWithErr runs a command in the shell and logs it in real-time. // In addition, if there is an error, the last x lines of stderr will be attached to the err object. func ExecuteLiveWithErr(stderrLines int, program string, args ...string) (err error) { + return ExecuteLiveWithErrAndCallbacks(stderrLines, logger.Log.Debug, logger.Log.Debug, program, args...) +} + +// ExecuteLiveWithErr runs a command in the shell and logs it in real-time. +// In addition, if there is an error, the last x lines of stderr will be attached to the err object. +func ExecuteLiveWithErrAndCallbacks(stderrLines int, onStdout, onStderr func(...interface{}), program string, + args ...string, +) (err error) { stderrChan := make(chan string, stderrLines) - err = ExecuteLiveWithCallbackAndChannels(logger.Log.Debug, logger.Log.Debug, nil, stderrChan, program, args...) + err = ExecuteLiveWithCallbackAndChannels(onStdout, onStderr, nil, stderrChan, program, args...) close(stderrChan) if err != nil { errLines := "" diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizepartitionsfilecopy.go b/toolkit/tools/pkg/imagecustomizerlib/customizepartitionsfilecopy.go index 9e739f405f0..832d9fcb423 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/customizepartitionsfilecopy.go +++ b/toolkit/tools/pkg/imagecustomizerlib/customizepartitionsfilecopy.go @@ -5,10 +5,9 @@ package imagecustomizerlib import ( "fmt" - "os" - "path/filepath" "github.com/microsoft/CBL-Mariner/toolkit/tools/imagecustomizerapi" + "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/logger" "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/safechroot" "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/shell" ) @@ -16,7 +15,7 @@ import ( func customizePartitionsUsingFileCopy(buildDir string, baseConfigPath string, config *imagecustomizerapi.Config, buildImageFile string, newBuildImageFile string, ) error { - existingImageConnection, err := connectToExistingImage(buildImageFile, buildDir, "imageroot") + existingImageConnection, err := connectToExistingImage(buildImageFile, buildDir, "imageroot", false) if err != nil { return err } @@ -28,17 +27,11 @@ func customizePartitionsUsingFileCopy(buildDir string, baseConfigPath string, co return copyFilesIntoNewDisk(existingImageConnection.Chroot(), imageChroot) } - newImageConnection, err := createNewImage(newBuildImageFile, diskConfig, config.SystemConfig.PartitionSettings, + err = createNewImage(newBuildImageFile, diskConfig, config.SystemConfig.PartitionSettings, config.SystemConfig.BootType, config.SystemConfig.KernelCommandLine, buildDir, "newimageroot", installOSFunc) if err != nil { return err } - defer newImageConnection.Close() - - err = newImageConnection.CleanClose() - if err != nil { - return err - } err = existingImageConnection.CleanClose() if err != nil { @@ -60,28 +53,10 @@ func copyFilesIntoNewDiskHelper(existingImageChroot *safechroot.Chroot, newImage // Notes: // `-a` ensures unix permissions, extended attributes (including SELinux), and sub-directories (-r) are copied. // `--no-dereference` ensures that symlinks are copied as symlinks. - copyArgs := []string{"--verbose", "--no-clobber", "-a", "--no-dereference", "--sparse", "always", "-t", newImageChroot.RootDir()} - - files, err := os.ReadDir(existingImageChroot.RootDir()) - if err != nil { - return fmt.Errorf("failed to read base image root directory:\n%w", err) - } - - for _, file := range files { - switch file.Name() { - case "dev", "proc", "sys", "run", "tmp": - // Exclude special directories. - // - // Note: Under /var, there are symlinks to a couple of these special directories. - // However, the `cp` command is called with `--no-dereference`. So, the symlinks will be copied as symlinks. - continue - } - - fullFileName := filepath.Join(existingImageChroot.RootDir(), file.Name()) - copyArgs = append(copyArgs, fullFileName) - } + copyArgs := []string{"--verbose", "--no-clobber", "-a", "--no-dereference", "--sparse", "always", + existingImageChroot.RootDir() + "/.", newImageChroot.RootDir()} - err = shell.ExecuteLiveWithErr(1, "cp", copyArgs...) + err := shell.ExecuteLiveWithErrAndCallbacks(1, func(...interface{}) {}, logger.Log.Debug, "cp", copyArgs...) if err != nil { return fmt.Errorf("failed to copy files:\n%w", err) } diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeutils.go b/toolkit/tools/pkg/imagecustomizerlib/customizeutils.go index c385d93dda7..c8a547eb5c3 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/customizeutils.go +++ b/toolkit/tools/pkg/imagecustomizerlib/customizeutils.go @@ -304,7 +304,7 @@ func addOrUpdateUser(user imagecustomizerapi.User, baseConfigPath string, imageC } } - err = installutils.ProvisionUserSSHCerts(imageChroot, user.Name, user.SSHPubKeyPaths) + err = installutils.ProvisionUserSSHCerts(imageChroot, user.Name, user.SSHPubKeyPaths, user.SSHPubKeys) if err != nil { return err } diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeutils_test.go b/toolkit/tools/pkg/imagecustomizerlib/customizeutils_test.go index 62871d513fe..1fcffce746f 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/customizeutils_test.go +++ b/toolkit/tools/pkg/imagecustomizerlib/customizeutils_test.go @@ -25,7 +25,7 @@ func TestUpdateHostname(t *testing.T) { // Setup environment. proposedDir := filepath.Join(tmpDir, "TestUpdateHostname") chroot := safechroot.NewChroot(proposedDir, false) - err := chroot.Initialize("", []string{}, []*safechroot.MountPoint{}) + err := chroot.Initialize("", []string{}, []*safechroot.MountPoint{}, false) assert.NoError(t, err) defer chroot.Close(false) @@ -52,7 +52,7 @@ func TestCopyAdditionalFiles(t *testing.T) { chroot := safechroot.NewChroot(proposedDir, false) baseConfigPath := testDir - err := chroot.Initialize("", []string{}, []*safechroot.MountPoint{}) + err := chroot.Initialize("", []string{}, []*safechroot.MountPoint{}, false) assert.NoError(t, err) defer chroot.Close(false) @@ -109,7 +109,7 @@ func TestAddCustomizerRelease(t *testing.T) { proposedDir := filepath.Join(tmpDir, "TestAddCustomizerRelease") chroot := safechroot.NewChroot(proposedDir, false) - err := chroot.Initialize("", []string{}, []*safechroot.MountPoint{}) + err := chroot.Initialize("", []string{}, []*safechroot.MountPoint{}, false) assert.NoError(t, err) defer chroot.Close(false) diff --git a/toolkit/tools/pkg/imagecustomizerlib/extractpartitions.go b/toolkit/tools/pkg/imagecustomizerlib/extractpartitions.go index ebd937d3533..1c498122391 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/extractpartitions.go +++ b/toolkit/tools/pkg/imagecustomizerlib/extractpartitions.go @@ -13,14 +13,11 @@ import ( ) // Extract all partitions of connected image into separate files with specified format. -func extractPartitions(imageConnection *ImageConnection, outputImageFile string, partitionFormat string) error { +func extractPartitions(imageLoopDevice string, outputImageFile string, partitionFormat string) error { // Extract basename from outputImageFile. E.g. if outputImageFile is "image.qcow2", then basename is "image". basename := strings.TrimSuffix(filepath.Base(outputImageFile), filepath.Ext(outputImageFile)) - // Get path of loop device associated with the image. - imageLoopDevice := imageConnection.Loopback().DevicePath() - // Get output directory path. outDir := filepath.Dir(outputImageFile) diff --git a/toolkit/tools/pkg/imagecustomizerlib/imageConnection.go b/toolkit/tools/pkg/imagecustomizerlib/imageConnection.go index d6e31e12ba2..fb74a508a8c 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/imageConnection.go +++ b/toolkit/tools/pkg/imagecustomizerlib/imageConnection.go @@ -34,14 +34,14 @@ func (c *ImageConnection) ConnectLoopback(diskFilePath string) error { } func (c *ImageConnection) ConnectChroot(rootDir string, isExistingDir bool, extraDirectories []string, - extraMountPoints []*safechroot.MountPoint, + extraMountPoints []*safechroot.MountPoint, includeDefaultMounts bool, ) error { if c.chroot != nil { return fmt.Errorf("chroot already connected") } chroot := safechroot.NewChroot(rootDir, isExistingDir) - err := chroot.Initialize("", extraDirectories, extraMountPoints) + err := chroot.Initialize("", extraDirectories, extraMountPoints, includeDefaultMounts) if err != nil { return err } diff --git a/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer.go b/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer.go index 7eb59f2cc39..36a70105340 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer.go +++ b/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer.go @@ -13,6 +13,7 @@ import ( "github.com/microsoft/CBL-Mariner/toolkit/tools/imagegen/diskutils" "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/file" "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/logger" + "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/safeloopback" "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/safemount" "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/shell" ) @@ -62,11 +63,14 @@ func CustomizeImage(buildDir string, baseConfigPath string, config *imagecustomi rpmsSources []string, outputImageFile string, outputImageFormat string, outputSplitPartitionsFormat string, useBaseImageRpmRepos bool, ) error { var err error + var qemuOutputImageFormat string - // Validate 'outputImageFormat' value. - qemuOutputImageFormat, err := toQemuImageFormat(outputImageFormat) - if err != nil { - return err + // Validate 'outputImageFormat' value if specified. + if outputImageFormat != "" { + qemuOutputImageFormat, err = toQemuImageFormat(outputImageFormat) + if err != nil { + return err + } } // Validate config. @@ -117,21 +121,23 @@ func CustomizeImage(buildDir string, baseConfigPath string, config *imagecustomi } } - // Create final output image file. - logger.Log.Infof("Writing: %s", outputImageFile) + // Create final output image file if requested. + if outputImageFormat != "" { + logger.Log.Infof("Writing: %s", outputImageFile) - outDir := filepath.Dir(outputImageFile) - os.MkdirAll(outDir, os.ModePerm) + outDir := filepath.Dir(outputImageFile) + os.MkdirAll(outDir, os.ModePerm) - err = shell.ExecuteLiveWithErr(1, "qemu-img", "convert", "-O", qemuOutputImageFormat, buildImageFile, outputImageFile) - if err != nil { - return fmt.Errorf("failed to convert image file to format: %s:\n%w", outputImageFormat, err) + err = shell.ExecuteLiveWithErr(1, "qemu-img", "convert", "-O", qemuOutputImageFormat, buildImageFile, outputImageFile) + if err != nil { + return fmt.Errorf("failed to convert image file to format: %s:\n%w", outputImageFormat, err) + } } // If outputSplitPartitionsFormat is specified, extract the partition files. if outputSplitPartitionsFormat != "" { logger.Log.Infof("Extracting partition files") - err = extractPartitionsHelper(buildDirAbs, buildImageFile, outputImageFile, outputSplitPartitionsFormat) + err = extractPartitionsHelper(buildImageFile, outputImageFile, outputSplitPartitionsFormat) if err != nil { return err } @@ -286,7 +292,7 @@ func validatePackageLists(baseConfigPath string, config *imagecustomizerapi.Syst func customizeImageHelper(buildDir string, baseConfigPath string, config *imagecustomizerapi.Config, buildImageFile string, rpmsSources []string, useBaseImageRpmRepos bool, partitionsCustomized bool, ) error { - imageConnection, err := connectToExistingImage(buildImageFile, buildDir, "imageroot") + imageConnection, err := connectToExistingImage(buildImageFile, buildDir, "imageroot", true) if err != nil { return err } @@ -307,20 +313,20 @@ func customizeImageHelper(buildDir string, baseConfigPath string, config *imagec return nil } -func extractPartitionsHelper(buildDir string, buildImageFile string, outputImageFile string, outputSplitPartitionsFormat string) error { - imageConnection, err := connectToExistingImage(buildImageFile, buildDir, "imageroot") +func extractPartitionsHelper(buildImageFile string, outputImageFile string, outputSplitPartitionsFormat string) error { + imageLoopback, err := safeloopback.NewLoopback(buildImageFile) if err != nil { return err } - defer imageConnection.Close() + defer imageLoopback.Close() // Extract the partitions as files. - err = extractPartitions(imageConnection, outputImageFile, outputSplitPartitionsFormat) + err = extractPartitions(imageLoopback.DevicePath(), outputImageFile, outputSplitPartitionsFormat) if err != nil { return err } - err = imageConnection.CleanClose() + err = imageLoopback.CleanClose() if err != nil { return err } diff --git a/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer_test.go b/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer_test.go index 019e253fbf4..0d6c3d89c67 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer_test.go +++ b/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer_test.go @@ -122,7 +122,7 @@ func reconnectToFakeEfiImage(buildDir string, imageFilePath string) (*ImageConne safechroot.NewMountPoint(bootPartitionDevPath, "/boot/efi", "vfat", 0, ""), } - err = imageConnection.ConnectChroot(rootDir, false, []string{}, mountPoints) + err = imageConnection.ConnectChroot(rootDir, false, []string{}, mountPoints, false) if err != nil { imageConnection.Close() return nil, err @@ -317,12 +317,11 @@ func createFakeEfiImage(buildDir string) (string, error) { return nil } - imageConnection, err := createNewImage(rawDisk, diskConfig, partitionSettings, "efi", + err = createNewImage(rawDisk, diskConfig, partitionSettings, "efi", imagecustomizerapi.KernelCommandLine{}, buildDir, testImageRootDirName, installOS) if err != nil { return "", err } - defer imageConnection.Close() return rawDisk, nil } diff --git a/toolkit/tools/pkg/imagecustomizerlib/imageutils.go b/toolkit/tools/pkg/imagecustomizerlib/imageutils.go index 5d59f46cb32..a550966dd32 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/imageutils.go +++ b/toolkit/tools/pkg/imagecustomizerlib/imageutils.go @@ -16,24 +16,13 @@ import ( "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/safechroot" ) -var ( - // When calling mkfs, the default options change depending on the host OS you are running on and typically match - // what the distro has decided is best for their OS. For example, for ext2/3/4, the defaults are stored in - // /etc/mke2fs.conf. - // However, for the image customizer tool, the defaults should be as consistent as possible. - DefaultMkfsOptions = map[string][]string{ - "ext2": {"-b", "4096", "-O", "none,sparse_super,large_file,filetype,resize_inode,dir_index,ext_attr"}, - "ext3": {"-b", "4096", "-O", "none,sparse_super,large_file,filetype,resize_inode,dir_index,ext_attr,has_journal"}, - "ext4": {"-b", "4096", "-O", "none,sparse_super,large_file,filetype,resize_inode,dir_index,ext_attr,has_journal,extent,huge_file,flex_bg,metadata_csum,64bit,dir_nlink,extra_isize"}, - } -) - type installOSFunc func(imageChroot *safechroot.Chroot) error -func connectToExistingImage(imageFilePath string, buildDir string, chrootDirName string) (*ImageConnection, error) { +func connectToExistingImage(imageFilePath string, buildDir string, chrootDirName string, includeDefaultMounts bool, +) (*ImageConnection, error) { imageConnection := NewImageConnection() - err := connectToExistingImageHelper(imageConnection, imageFilePath, buildDir, chrootDirName) + err := connectToExistingImageHelper(imageConnection, imageFilePath, buildDir, chrootDirName, includeDefaultMounts) if err != nil { imageConnection.Close() return nil, err @@ -44,7 +33,7 @@ func connectToExistingImage(imageFilePath string, buildDir string, chrootDirName } func connectToExistingImageHelper(imageConnection *ImageConnection, imageFilePath string, - buildDir string, chrootDirName string, + buildDir string, chrootDirName string, includeDefaultMounts bool, ) error { // Connect to image file using loopback device. err := imageConnection.ConnectLoopback(imageFilePath) @@ -61,7 +50,7 @@ func connectToExistingImageHelper(imageConnection *ImageConnection, imageFilePat // Create chroot environment. imageChrootDir := filepath.Join(buildDir, chrootDirName) - err = imageConnection.ConnectChroot(imageChrootDir, false, newMountDirectories, mountPoints) + err = imageConnection.ConnectChroot(imageChrootDir, false, newMountDirectories, mountPoints, includeDefaultMounts) if err != nil { return err } @@ -73,25 +62,25 @@ func createNewImage(filename string, diskConfig imagecustomizerapi.Disk, partitionSettings []imagecustomizerapi.PartitionSetting, bootType imagecustomizerapi.BootType, kernelCommandLine imagecustomizerapi.KernelCommandLine, buildDir string, chrootDirName string, installOS installOSFunc, -) (*ImageConnection, error) { - imageConnection := &ImageConnection{} - - err := createNewImageHelper(imageConnection, filename, diskConfig, partitionSettings, bootType, kernelCommandLine, +) error { + err := createNewImageHelper(filename, diskConfig, partitionSettings, bootType, kernelCommandLine, buildDir, chrootDirName, installOS, ) if err != nil { - imageConnection.Close() - return nil, fmt.Errorf("failed to create new image:\n%w", err) + return fmt.Errorf("failed to create new image:\n%w", err) } - return imageConnection, nil + return nil } -func createNewImageHelper(imageConnection *ImageConnection, filename string, diskConfig imagecustomizerapi.Disk, +func createNewImageHelper(filename string, diskConfig imagecustomizerapi.Disk, partitionSettings []imagecustomizerapi.PartitionSetting, bootType imagecustomizerapi.BootType, kernelCommandLine imagecustomizerapi.KernelCommandLine, buildDir string, chrootDirName string, installOS installOSFunc, ) error { + imageConnection := NewImageConnection() + defer imageConnection.Close() + // Convert config to image config types, so that the imager's utils can be used. imagerBootType, err := bootTypeToImager(bootType) if err != nil { @@ -147,6 +136,12 @@ func createNewImageHelper(imageConnection *ImageConnection, filename string, dis return fmt.Errorf("failed to install bootloader:\n%w", err) } + // Close image. + err = imageConnection.CleanClose() + if err != nil { + return err + } + return nil } @@ -168,7 +163,7 @@ func createImageBoilerplate(imageConnection *ImageConnection, filename string, b // Set up partitions. partIDToDevPathMap, partIDToFsTypeMap, _, _, err := diskutils.CreatePartitions( imageConnection.Loopback().DevicePath(), imagerDiskConfig, configuration.RootEncryption{}, - configuration.ReadOnlyVerityRoot{}, DefaultMkfsOptions) + configuration.ReadOnlyVerityRoot{}) if err != nil { return nil, "", fmt.Errorf("failed to create partitions on disk (%s):\n%w", imageConnection.Loopback().DevicePath(), err) } @@ -184,6 +179,10 @@ func createImageBoilerplate(imageConnection *ImageConnection, filename string, b // options for us. If we wanted to handle this more directly, we could create a golang wrapper around libmount // (which is what findmnt uses). But we are already using the findmnt in other places. tmpFstabFile := filepath.Join(buildDir, chrootDirName+"_fstab") + err = file.RemoveFileIfExists(tmpFstabFile) + if err != nil { + return nil, "", err + } mountPointMap, mountPointToFsTypeMap, mountPointToMountArgsMap, _ := installutils.CreateMountPointPartitionMap( partIDToDevPathMap, partIDToFsTypeMap, imagerPartitionSettings, @@ -205,7 +204,7 @@ func createImageBoilerplate(imageConnection *ImageConnection, filename string, b // Create chroot environment. imageChrootDir := filepath.Join(buildDir, chrootDirName) - err = imageConnection.ConnectChroot(imageChrootDir, false, nil, mountPoints) + err = imageConnection.ConnectChroot(imageChrootDir, false, nil, mountPoints, false) if err != nil { return nil, "", err } diff --git a/toolkit/tools/pkg/simpletoolchroot/simpletoolchroot.go b/toolkit/tools/pkg/simpletoolchroot/simpletoolchroot.go index 59b458dc8ab..08f88df03b6 100644 --- a/toolkit/tools/pkg/simpletoolchroot/simpletoolchroot.go +++ b/toolkit/tools/pkg/simpletoolchroot/simpletoolchroot.go @@ -58,7 +58,7 @@ func (s *SimpleToolChroot) InitializeChroot(buildDir, chrootName, workerTarPath, extraMountPoints := []*safechroot.MountPoint{ safechroot.NewMountPoint(specsDirPath, chrootSpecDirPath, "", safechroot.BindMountPointFlags, ""), } - err = s.chroot.Initialize(workerTarPath, extraDirectories, extraMountPoints) + err = s.chroot.Initialize(workerTarPath, extraDirectories, extraMountPoints, true) if err != nil { logger.Log.Errorf("Failed to initialize chroot (%s) inside (%s). Error: %v.", workerTarPath, chrootDirPath, err) } diff --git a/toolkit/tools/pkgworker/pkgworker.go b/toolkit/tools/pkgworker/pkgworker.go index fb4f3513754..afa039175ec 100644 --- a/toolkit/tools/pkgworker/pkgworker.go +++ b/toolkit/tools/pkgworker/pkgworker.go @@ -213,7 +213,7 @@ func buildSRPMInChroot(chrootDir, rpmDirPath, toolchainDirPath, workerTar, srpmF extraDirs = append(extraDirs, chrootCcacheDir) } - err = chroot.Initialize(workerTar, extraDirs, mountPoints) + err = chroot.Initialize(workerTar, extraDirs, mountPoints, true) if err != nil { return } diff --git a/toolkit/tools/precacher/precacher.go b/toolkit/tools/precacher/precacher.go index b8a98735dd9..42eb19e1099 100644 --- a/toolkit/tools/precacher/precacher.go +++ b/toolkit/tools/precacher/precacher.go @@ -215,13 +215,6 @@ func monitorProgress(total int, results chan downloadResult, doneChannel chan st // responsible for removing itself from the wait group. As much processing as possible is done before acquiring the // network operations semaphore to minimize the time spent holding it. func precachePackage(pkg *repocloner.RepoPackage, packagesAvailableFromRepos map[string]string, outDir string, wg *sync.WaitGroup, results chan<- downloadResult, netOpsSemaphore chan struct{}) { - const ( - // With 5 attempts, initial delay of 1 second, and a backoff factor of 2.0 the total time spent retrying will be - // ~30 seconds. - downloadRetryAttempts = 5 - failureBackoffBase = 2.0 - downloadRetryDuration = time.Second - ) var noCancel chan struct{} = nil // File names are of the form "-...rpm" @@ -263,13 +256,13 @@ func precachePackage(pkg *repocloner.RepoPackage, packagesAvailableFromRepos map }() logger.Log.Debugf("Pre-caching '%s' from '%s'", fileName, url) - _, err = retry.RunWithExpBackoff(func() error { + _, err = retry.RunWithDefaultDownloadBackoff(func() error { err := network.DownloadFile(url, fullFilePath, nil, nil) if err != nil { logger.Log.Warnf("Attempt to download (%s) failed. Error: %s", url, err) } return err - }, downloadRetryAttempts, downloadRetryDuration, failureBackoffBase, noCancel) + }, noCancel) if err != nil { return } diff --git a/toolkit/tools/specreader/specreader.go b/toolkit/tools/specreader/specreader.go index 28789db0273..32419fa1ea5 100644 --- a/toolkit/tools/specreader/specreader.go +++ b/toolkit/tools/specreader/specreader.go @@ -211,7 +211,7 @@ func createChroot(workerTar, buildDir, specsDir, srpmsDir string) (chroot *safec chrootDir := filepath.Join(buildDir, chrootName) chroot = safechroot.NewChroot(chrootDir, existingDir) - err = chroot.Initialize(workerTar, extraDirectories, extraMountPoints) + err = chroot.Initialize(workerTar, extraDirectories, extraMountPoints, true) if err != nil { return } diff --git a/toolkit/tools/srpmpacker/srpmpacker.go b/toolkit/tools/srpmpacker/srpmpacker.go index 338f79e672a..003994a7984 100644 --- a/toolkit/tools/srpmpacker/srpmpacker.go +++ b/toolkit/tools/srpmpacker/srpmpacker.go @@ -15,7 +15,6 @@ import ( "runtime" "strings" "sync" - "time" "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/buildpipeline" "github.com/microsoft/CBL-Mariner/toolkit/tools/internal/directory" @@ -320,7 +319,7 @@ func createChroot(workerTar, buildDir, outDir, specsDir string) (chroot *safechr chrootDir := filepath.Join(buildDir, chrootName) chroot = safechroot.NewChroot(chrootDir, existingDir) - err = chroot.Initialize(workerTar, extraDirectories, extraMountPoints) + err = chroot.Initialize(workerTar, extraDirectories, extraMountPoints, true) if err != nil { return } @@ -917,13 +916,6 @@ func tryToHydrateFromLocalSource(fileHydrationState map[string]bool, newSourceDi // hydrateFromRemoteSource will update fileHydrationState. // Will alter `currentSignatures`. func hydrateFromRemoteSource(fileHydrationState map[string]bool, newSourceDir string, srcConfig sourceRetrievalConfiguration, skipSignatureHandling bool, currentSignatures map[string]string, cancel <-chan struct{}, netOpsSemaphore chan struct{}) (err error) { - const ( - // With 5 attempts, initial delay of 1 second, and a backoff factor of 2.0 the total time spent retrying will be - // ~30 seconds. - downloadRetryAttempts = 5 - failureBackoffBase = 2.0 - downloadRetryDuration = time.Second - ) errPackerCancelReceived := fmt.Errorf("packer cancel signal received") for fileName, alreadyHydrated := range fileHydrationState { @@ -947,14 +939,14 @@ func hydrateFromRemoteSource(fileHydrationState map[string]bool, newSourceDir st } } - cancelled, internalErr := retry.RunWithExpBackoff(func() error { + cancelled, internalErr := retry.RunWithDefaultDownloadBackoff(func() error { downloadErr := network.DownloadFile(url, destinationFile, srcConfig.caCerts, srcConfig.tlsCerts) if downloadErr != nil { logger.Log.Debugf("Failed an attempt to download (%s). Error: %s.", url, downloadErr) } return downloadErr - }, downloadRetryAttempts, downloadRetryDuration, failureBackoffBase, cancel) + }, cancel) if netOpsSemaphore != nil { // Clear the channel to allow another operation to start diff --git a/toolkit/tools/validatechroot/validatechroot.go b/toolkit/tools/validatechroot/validatechroot.go index 2a254178e11..244d6efd8fd 100644 --- a/toolkit/tools/validatechroot/validatechroot.go +++ b/toolkit/tools/validatechroot/validatechroot.go @@ -76,7 +76,7 @@ func validateWorker(rpmsDir, chrootDir, workerTarPath, manifestPath string) (err rpmMount := safechroot.NewMountPoint(rpmsDir, chrootToolchainRpmsDir, "", safechroot.BindMountPointFlags, "") extraDirectories := []string{chrootToolchainRpmsDir} rpmMounts := []*safechroot.MountPoint{rpmMount} - err = chroot.Initialize(workerTarPath, extraDirectories, rpmMounts) + err = chroot.Initialize(workerTarPath, extraDirectories, rpmMounts, true) if err != nil { chroot = nil return