From 5f16e9622f938b64a98e6bb1c2882742ab854821 Mon Sep 17 00:00:00 2001 From: xumia <59720581+xumia@users.noreply.github.com> Date: Tue, 30 Jun 2020 06:01:20 +0800 Subject: [PATCH 01/11] Add the test signing certificates for secure boot (#4866) * Add the test signing certificates for secure boot * Remove unnecessary ca key file * Regenerate the certificates to not expose the ca key --- build_image.sh | 10 +++- .../secureboot/test-certs/ca.cert | 32 ++++++++++++ .../secureboot/test-certs/signing.cert | 30 +++++++++++ .../secureboot/test-certs/signing.key | 51 +++++++++++++++++++ 4 files changed, 122 insertions(+), 1 deletion(-) create mode 100644 files/image_config/secureboot/test-certs/ca.cert create mode 100644 files/image_config/secureboot/test-certs/signing.cert create mode 100644 files/image_config/secureboot/test-certs/signing.key diff --git a/build_image.sh b/build_image.sh index 4fd9f7315a25..2cd3d98fb82f 100755 --- a/build_image.sh +++ b/build_image.sh @@ -150,7 +150,15 @@ elif [ "$IMAGE_TYPE" = "aboot" ]; then if [ "$SONIC_ENABLE_IMAGE_SIGNATURE" = "y" ]; then TARGET_CA_CERT="$TARGET_PATH/ca.cert" rm -f "$TARGET_CA_CERT" - [ -f "$CA_CERT" ] && cp "$CA_CERT" "$TARGET_CA_CERT" + + # If the ca certificate does not exist, the test certificate will be used to sign the image + if [ ! -f "$CA_CERT" ]; then + TEST_CERT_PATH=files/image_config/secureboot/test-certs + CA_CERT="${TEST_CERT_PATH}/ca.cert" + SIGNING_KEY="${TEST_CERT_PATH}/signing.key" + SIGNING_CERT="${TEST_CERT_PATH}/signing.cert" + fi + cp "$CA_CERT" "$TARGET_CA_CERT" ./scripts/sign_image.sh -i "$OUTPUT_ABOOT_IMAGE" -k "$SIGNING_KEY" -c "$SIGNING_CERT" -a "$TARGET_CA_CERT" fi else diff --git a/files/image_config/secureboot/test-certs/ca.cert b/files/image_config/secureboot/test-certs/ca.cert new file mode 100644 index 000000000000..9cf0586edd61 --- /dev/null +++ b/files/image_config/secureboot/test-certs/ca.cert @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFdTCCA12gAwIBAgIUL2kglpzjw8n7sLr41bLDrLU8CcswDQYJKoZIhvcNAQEL +BQAwSTELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFRlc3QxDTALBgNVBAcMBFRlc3Qx +DTALBgNVBAoMBFRlc3QxDTALBgNVBAMMBFRlc3QwIBcNMjAwNjI5MDYyNzE4WhgP +MjEyMDA2MDUwNjI3MThaMEkxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARUZXN0MQ0w +CwYDVQQHDARUZXN0MQ0wCwYDVQQKDARUZXN0MQ0wCwYDVQQDDARUZXN0MIICIjAN +BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA32NtDS/zojvq37VlzMQYUXY58OWZ +hrgGnuq5j5bUWZlRGxjiRyRjYgeTC+gCFsT0u3Mgat1Kwo1rsOLCf62KArOUssMR +xGWEdubvYlIInC4RyuTq0a7lLxQH1q+mwHPpJHQ3Iv7Vj8cwmtwM/uAru6uOy+YN +Dl3Y+VCtbJ/3OB5u4W7toAmfPfoO/JNOxYQAYMNqMwFfK7MMh8HPjm5hQ9j+K+Df +yAlePFgnp8v4o3SdYzzW7rkV+q7ZfGM4VlPnNHgS2wcbI5NoFgpe86k3JSF6aFSh +p+fEQss/Kz2JXrfvR7TbpS/HpeoPRvUF7kSgCVfaMPdoOOwGtVkmIPlTN1y5xpyu +LH/v62TmNp3NOlbQ4oxgIrYfaYDXTByuFSlXft6VcJg7bJvGL8J1QqU7A040jSPn +45GaLm9nJpl//ik/MjU+qau8O7lvmz/2OjIwEDElAYTDnLoYYDeax9vJjcEni5/s +xi/fc7IyHtOgOpb5+bLumvvBy7qCM0sRuFliXAAFzwK1zn1WxwUMBuMjZjioCNPW +zfJ9jrmbBB2KJk/hyJ6mAVSE/tTL2vJsgjB3RabfS5ECr/ZXZXbNb3FUiFea5oUe +XKkzC6oUGfUb63ZwQ1oSX1q4ECt/OecAmujL3ATLILrptko3FgURjwYUTtPn5DyL +gYnc6CvZ3Tl70DECAwEAAaNTMFEwHQYDVR0OBBYEFFSMKiWUTzg7rggKQ95BbgCR +ZCxeMB8GA1UdIwQYMBaAFFSMKiWUTzg7rggKQ95BbgCRZCxeMA8GA1UdEwEB/wQF +MAMBAf8wDQYJKoZIhvcNAQELBQADggIBAI3N1xeBqtSy5/aOBPM3MG6WTfWaIwA2 +G7axvE9HLmOZ2jbNaV/is5ZTclgVocdYmg77MhhIzK7smPehUpimAntsk94E/zFA +K9sol4tPzWi+aVzf0fvEkOk+4WdPUMWkgyqFoiZ4n+ARJdN6Ef0Dcoue3DFbYu+M +94yOUD1KSXMDhknIwTCAtnCMDiFCv2f++LYOPs71ttJWnBGGtdYEibsAkFI9gOQ6 +ianw12D5ZWaF88jQt83B+gxw2QYRfpvW7enD1N7+kBfZV9BXa9IjVQ4kxi/DkEFM +ib1WR8zCmhb3wRkD0PVI6OE7XLjCjvGIhdsd3r+qHlHyzHJAJuuGxrLoenAe7T/P +eJ52mNtKGwASd/mShQpM+EbkGKnxKAp3ZJRMemeMboFk6WnPRZ7VYddHeXN57aGl +Yfg43cYfGACOHNfbs2X7zzNuqxpj1oLpDOHBD8UnYhGNWqfHAzmEDkxrReE/uO9R ++7NP3FFFx908OS7vgBSaUsYA9WX1VsJsyZjC/njHIPwZvKBRTvyTYfskSey1JA/O +YMp7NTL+LxSthab3Zgpe7ziYe+lQ/PkTBpy2UB0ntnUj2AER75VH3S8TBdIzlzCp +45+/TXbLOm+PO6iCIh/gHviCy5ua+txgZeG+/1sGrlYT0Je04e/HpVA7+aRzZF4+ +yxGRZsO7Ztjz +-----END CERTIFICATE----- diff --git a/files/image_config/secureboot/test-certs/signing.cert b/files/image_config/secureboot/test-certs/signing.cert new file mode 100644 index 000000000000..91b544cc5eb8 --- /dev/null +++ b/files/image_config/secureboot/test-certs/signing.cert @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFGzCCAwMCFEzTPYLASoyMuK7LFp0mFz/fWFKYMA0GCSqGSIb3DQEBCwUAMEkx +CzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARUZXN0MQ0wCwYDVQQHDARUZXN0MQ0wCwYD +VQQKDARUZXN0MQ0wCwYDVQQDDARUZXN0MCAXDTIwMDYyOTA2MjcxOVoYDzIwNzAw +NjE3MDYyNzE5WjBJMQswCQYDVQQGEwJVUzENMAsGA1UECAwEVGVzdDENMAsGA1UE +BwwEVGVzdDENMAsGA1UECgwEVGVzdDENMAsGA1UEAwwEVGVzdDCCAiIwDQYJKoZI +hvcNAQEBBQADggIPADCCAgoCggIBAMl+lKW0Kjdy2xpXIrIr+0DZ+hWACR1Lp2By +5ovSqHXrpndPJrP/rtPwC0wOIry8iEHPrUc9oez+G9q+hMGcQR+O9un55huWoqlg +/KoCDuyP7QtraBzwQmihrnEtsWyF9KKFnEHTRgkMNqH+JKBWQQmfBouMq7QmZ0oL +IQ2zIt/3fJzBTr70WH3xIhrIujjAoy10dAxsg4CA49KREpj72lrb1IAEdFj57HCm +MYGA85qq6M+Qz97Zd9F4IoNrTg+7WLMRBRJEnsC20rfKQdEDIBPuwAMCC6j1Q9Jc +HIKu4StCVo693lCjPV4RhhiHd1Y1+TezX7UM7Wt2XEM/Z0gMZ2Z42p8ByfsxFtVO +QdsWoyrA79n6VlU0237AwgyAYdTopU5alErTrYwhwbcZNLb0mpLijGnf0jwWr4uu +7nbgozKVAMrpJZufPYhG5dG6lBOODcMpbkDfHi9yPcoGIbZYV41IGJhLaYejecry +B56vgd2jGU7bnIB3Mth3t+Vsx1y67EW/8IopmGwL2MyTV4Z5Hq59wnR53Z1hQLB6 +twTgPJjo+n39YTt/I6pkYzV0ptpJb6BS8NTvADoYw5TQy3mW/HR0LayRwkzB+8Ii +GDwC6k+IXcmHjeyov0OXeieFXwZMDPlc0yoCzZ1sywQNG8EDOSisu9R/zMW8sJjD +b+lItF9jAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAJqb9dChpXaOCdHKtcKbTgkm +Sf2HRN8lA7gszDQMXvenog+YinFO72bNzrRcmA2zYcpwutBLLBqZ6BccuSKc6F4Z +6Hv609mBTEWL64VqeQlsqADGS1+gzQGQm2AoFqNGdqCzx2EfoyXKIbmg4bik0INF +jQN0YsXsULMa4DSV/Cif3H3++e7kEa1/JxoqndTasrP9/YFJup3+90F1Q3ib0wql +W4kUVKpFxx0Qyi/zn8vrDsM2NfOur9rD7k9gv8GaN8PshPIGj0rzrIGf8QebugJ3 +0NsOaqLsR4+8KGGjT6ckcNDun1ajrRfMyKoNtxdI8l8zl80mQQtsbvIO5hmhUMy9 +AW+8QzBzgc/TJAAHlElxOYHwypcsNGbkIVczUy48gp4DhQtfs1q8HqzTwHtK+HTN +JzeQJtDnpAJARiCXr67+QTwAVszefqVK8N2UntuTzOhhs8PdP1jVv5g6gQpFfgI8 +IyniS46+mTO+FXYCkk2Ner2Jr6p3r2pMAQPSr28TEr75H2gUVufYSBUgrVDwPlio +SEk6Iccg/2KgWXPCj2/LmGcJZqCc8Z8L8CbT1z+5plpp+WcMVRxgbH/FHSQBkMsw +P2SSOVjJEkSYV5I6bYA97BBFpjovZS+7k6NmW1Lj1n33awdMrm1UXQRDTSKXOzVu +U/rAEWO3JyUeTNCL37Ec +-----END CERTIFICATE----- diff --git a/files/image_config/secureboot/test-certs/signing.key b/files/image_config/secureboot/test-certs/signing.key new file mode 100644 index 000000000000..9c16e80641b7 --- /dev/null +++ b/files/image_config/secureboot/test-certs/signing.key @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKQIBAAKCAgEAyX6UpbQqN3LbGlcisiv7QNn6FYAJHUunYHLmi9Kodeumd08m +s/+u0/ALTA4ivLyIQc+tRz2h7P4b2r6EwZxBH4726fnmG5aiqWD8qgIO7I/tC2to +HPBCaKGucS2xbIX0ooWcQdNGCQw2of4koFZBCZ8Gi4yrtCZnSgshDbMi3/d8nMFO +vvRYffEiGsi6OMCjLXR0DGyDgIDj0pESmPvaWtvUgAR0WPnscKYxgYDzmqroz5DP +3tl30Xgig2tOD7tYsxEFEkSewLbSt8pB0QMgE+7AAwILqPVD0lwcgq7hK0JWjr3e +UKM9XhGGGId3VjX5N7NftQzta3ZcQz9nSAxnZnjanwHJ+zEW1U5B2xajKsDv2fpW +VTTbfsDCDIBh1OilTlqUStOtjCHBtxk0tvSakuKMad/SPBavi67uduCjMpUAyukl +m589iEbl0bqUE44NwyluQN8eL3I9ygYhtlhXjUgYmEtph6N5yvIHnq+B3aMZTtuc +gHcy2He35WzHXLrsRb/wiimYbAvYzJNXhnkern3CdHndnWFAsHq3BOA8mOj6ff1h +O38jqmRjNXSm2klvoFLw1O8AOhjDlNDLeZb8dHQtrJHCTMH7wiIYPALqT4hdyYeN +7Ki/Q5d6J4VfBkwM+VzTKgLNnWzLBA0bwQM5KKy71H/MxbywmMNv6Ui0X2MCAwEA +AQKCAgEAuMZ2hDpimHSgTlhnveItR3xdJMhEE3RkKkNT/hcRWwndnv2brWckKMCx +a25vFosBnPBYo8L2MgGZA5DA51dmNQ2CinAbP2N1CUSijzjR/MfDhjxZvmfpTlAu +SyWu1alF/J/v+kFHsVZc51LKvao7fBo0A1bdwpeREsp/5jNHIQGwaYOvtdcXK28s +akl21EJ7oVxwa1A7i2UnBtr4pggXZki/ZyIum8WcuHT/YxYgzs46LtZKeb8NbK7x +X3jQngacwaEy+FyrBGjjdZ1pm8V07jJ8LIX8sVUxe7/yeTjrziLIg5/ENkhsJ06E +nQvlOM7IGvdIJhyTwH9K/nQvP1f4nNP+3RQSc8ubP5QqGGnlryhOvvV7QG8Y+ZN4 +mV1FOoyqiZdxFs/6PxKJfmNDoma8oz3pGQ810OnxtCu2kcxT54WBJdKxcQFxSxjS +8YVRoakmU6noUTqw6BaG9QwQnbLytXckXQDQlxqGd4WbL1nlCxZF25SxRCX2/mHd +7BUpW6OfxL/pEOcUBV0HO/ELm51xWMaZyGfZPkQRpbnpGgfXojuOnxdfiUbqkHy/ +/dV98pfgT+qy4FXn/zeGLnh6Q/JPcCQp6QeyUbC9jHvrkVLwuA8ugg9ilGvMSX8Q +vmVNe9UjkNVywoeiB5/Dc5CzgmG9hdsf2r+5BZNG3GilwsCAArECggEBAOzNasRY +j6mB47FJsxJDW0I16dBugLcenFTO70UzLeTGgsREzba6/ItnsH9ZPRRxmQoKC5a6 +yK+63DZo9YCOit8lSxx6otUev4RpDhsmnrG7ILQzXb3BO2bqbP+Xm1CNWkaZxRSZ +HKLwXAvKp+YLMJ7qAZRe5+E4c5i+9NdJWAFMHcVTIUdnJ2bPC1lwhCqC9zeuMj+j +U7U0Rt9sgy9azExK4/O8pvcYFS8JCpw5Kot/c+5C6F91Zj437k8hoSZhVIJgsvTF +PnEE+pt84p9vcd1CHKWRbB4QU92JpniJk2ZjNC184niG5bPbfJJrQda0xFKwLD8G +HYgr7rrfz6mNWqkCggEBANnUYmouBTVmgjnjJkq+OaUuyHv0LvBXdr+4DhSIMe03 +mEenRBj4AA9J9XCg0WnzX21gvistO+rJ+lHCiQjaY18LCz1KpDKnnliTVrlXsa9Y +Zyd8yZou0oX29fsEwjS/o0lJv9T+RxAjMXMTaDvLeybUIioFKBEHqUxkiMFCFygY ++8UA/PGXZB5ysgOJ3W1JTcNCTixM15+ItsJRjnqGtfm77jvTyGHPuG4VlJfYQg2B +HfP7p19RSJhqzNPhPpioXs5DJj0nVvbSDC4/ukJV5GltI87csjup/naSgBzhXvfH +F/4CBQdKPCsQVv27je/OEGzzd6B2E4IoIz5ZPzzJHSsCggEAVCKD/bENkgdRU+tA +kYuXAAZRxbmNSAK7PrKrdqXBd5hEW+GqSXNUSV+U6RpWxk26N0PsbCh/J1i35ykR +mRSMKM6CSmMUOa6ME0qUNXdaSQGYlA3wD3x5U46VHZbLGyqt2YnG6ROhhg7qVVIy +p1xwcPXpi8LQlkfNYobuTROFDijyJurrVwhCipeji6qbetM/bOwadFveYPJq//T5 +Azk6fxzYsv/jPsWyuRx4RZtWD2xAT3Y8Q7Zdllue80Sakh1gvlYHH0p5bgR72gTc +LBOXnCpiLT1m8aOReJPwrsEKuwUiQ8ssV/Bt6qJgN1Geed+OJWbswZO1qG0bjA/7 +I13SyQKCAQAeLgbUnzupgmJYktgjUue5sxmj0tkOA5A4T8/jmFsSerlmdA5DR1j6 +xUx0JlPdUhLOnLC8WrAKf6Fm4oUJ7PgHmwgbndPSENcnfoJte3Dq0ly4Y9mquwH/ +/Y9nD+m4VTTSWp1xbSl7WuTnBLFUV4TghFOXbs92TJFwPB2WaQm8THnVeaWR81+z +uEBhrSA4nAdiHjWmfZ8CQ3bOxW3wG+nqh9ciAt2ob5cl6WeFAjlklZcIzr0Jv8FH +HMT0NijuDaXU/gi2QFUULVXysnGj7zKOSMjFSF6JVawj0Xheh/sYaUUxtCXuNKLR +dJoY3Xt01iAAeFsCqFlblyQK52KTkWmxAoIBAQCDFtaLIp+gJ4kKCmUT30abaXXe +tb0D9CnXT1EQSpKqio9Soad1a9PZ6IkJU0Dhks2mJWX6CHR3mWpmXR31aWM/iP+u +X+/amrHPhzxyFCmbo+Vb96ZuelFvdZ0x4l6eM+qd9SxF+SnSyfdtnwOThLI7bZFc +L6rbYlTFdH3j6nksITAW1lp1W59jtkYQVIBl8rpiwNfgRFBf5FE9PKDjbG2WHx3a +kv81Ok5z6PV4BarViZ6hV2tP4b96/TbrXn08J6M4Gcn7KOn7UfYSP/2p7sIE+pC4 +EMO3sAR6IUU/utmknwY0Ou/enuzsq3RvpA/8kE4ZdRBMLUQeZZ4yzX0pyfSz +-----END RSA PRIVATE KEY----- From ef994a176c394bb290c972bb99f03741d65a7365 Mon Sep 17 00:00:00 2001 From: arlakshm <55814491+arlakshm@users.noreply.github.com> Date: Tue, 30 Jun 2020 06:29:20 -0700 Subject: [PATCH 02/11] syslog changes Multi ASIC platforms (#4738) Add changes for syslog support for containers running in namespaces on multi ASIC platforms. On Multi ASIC platforms Rsyslog service is only running on the host. There is no rsyslog service running in each namespace. On multi ASIC platforms the rsyslog service on the host will be listening on the docker0 ip address instead of loopback address. The rsyslog.conf on the containers is modified to have omfwd target ip to be docker0 ipaddress instead of loopback ip Signed-off-by: Arvindsrinivasan Lakshmi Narasimhan --- files/build_templates/docker_image_ctl.j2 | 17 +++++ .../build_templates/sonic_debian_extension.j2 | 1 + files/image_config/rsyslog/rsyslog-config.sh | 21 ++++- .../rsyslog/rsyslog-container.conf.j2 | 76 +++++++++++++++++++ files/image_config/rsyslog/rsyslog.conf.j2 | 2 +- 5 files changed, 115 insertions(+), 2 deletions(-) create mode 100644 files/image_config/rsyslog/rsyslog-container.conf.j2 diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2 index 381480123f67..0a0461795944 100644 --- a/files/build_templates/docker_image_ctl.j2 +++ b/files/build_templates/docker_image_ctl.j2 @@ -27,6 +27,22 @@ link_namespace() { } {%- endif %} +function updateSyslogConf() +{ + # On multiNPU platforms, change the syslog target ip to docker0 ip to allow logs from containers + # running on the namespace to reach the rsyslog service running on the host + # Also update the container name + if [[ ($NUM_ASIC -gt 1) ]]; then + TARGET_IP=$(docker network inspect bridge --format={{ "'{{(index .IPAM.Config 0).Gateway}}'" }}) + CONTAINER_NAME="{{docker_container_name}}$DEV" + TMP_FILE="/tmp/rsyslog.$CONTAINER_NAME.conf" + + sonic-cfggen -t /usr/share/sonic/templates/rsyslog-container.conf.j2 -a "{\"target_ip\": \"$TARGET_IP\", \"container_name\": \"$CONTAINER_NAME\" }" > $TMP_FILE + docker cp $TMP_FILE {{docker_container_name}}$DEV:/etc/rsyslog.conf + rm -rf $TMP_FILE + fi +} + function getMountPoint() { echo $1 | python -c "import sys, json, os; mnts = [x for x in json.load(sys.stdin)[0]['Mounts'] if x['Destination'] == '/usr/share/sonic/hwsku']; print '' if len(mnts) == 0 else os.path.basename(mnts[0]['Source'])" 2>/dev/null @@ -68,6 +84,7 @@ function preStartAction() {%- else %} : # nothing {%- endif %} + updateSyslogConf } function postStartAction() diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2 index 925998f0aef9..737ce1271fa6 100644 --- a/files/build_templates/sonic_debian_extension.j2 +++ b/files/build_templates/sonic_debian_extension.j2 @@ -241,6 +241,7 @@ echo "warmboot-finalizer.service" | sudo tee -a $GENERATED_SERVICE_FILE sudo cp $IMAGE_CONFIGS/rsyslog/rsyslog-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM sudo cp $IMAGE_CONFIGS/rsyslog/rsyslog-config.sh $FILESYSTEM_ROOT/usr/bin/ sudo cp $IMAGE_CONFIGS/rsyslog/rsyslog.conf.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/ +sudo cp $IMAGE_CONFIGS/rsyslog/rsyslog-container.conf.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/ sudo cp $IMAGE_CONFIGS/rsyslog/rsyslog.d/* $FILESYSTEM_ROOT/etc/rsyslog.d/ echo "rsyslog-config.service" | sudo tee -a $GENERATED_SERVICE_FILE diff --git a/files/image_config/rsyslog/rsyslog-config.sh b/files/image_config/rsyslog/rsyslog-config.sh index c8ba7b99453c..26767d84fbe0 100755 --- a/files/image_config/rsyslog/rsyslog-config.sh +++ b/files/image_config/rsyslog/rsyslog-config.sh @@ -1,4 +1,23 @@ #!/bin/bash -sonic-cfggen -d -t /usr/share/sonic/templates/rsyslog.conf.j2 >/etc/rsyslog.conf +PLATFORM=`sonic-cfggen -H -v DEVICE_METADATA.localhost.platform` + +# Parse the device specific asic conf file, if it exists +ASIC_CONF=/usr/share/sonic/device/$PLATFORM/asic.conf +if [ -f "$ASIC_CONF" ]; then + source $ASIC_CONF +fi + +# On Multi NPU platforms we need to start the rsyslog server on the docker0 ip address +# for the syslogs from the containers in the namespaces to work. +# on Single NPU platforms we continue to use loopback adddres + +if [[ ($NUM_ASIC -gt 1) ]]; then + udp_server_ip=$(ip -o -4 addr list docker0 | awk '{print $4}' | cut -d/ -f1) +else + udp_server_ip=$(ip -o -4 addr list lo scope host | awk '{print $4}' | cut -d/ -f1) +fi + +sonic-cfggen -d -t /usr/share/sonic/templates/rsyslog.conf.j2 -a "{\"udp_server_ip\": \"$udp_server_ip\"}" >/etc/rsyslog.conf + systemctl restart rsyslog diff --git a/files/image_config/rsyslog/rsyslog-container.conf.j2 b/files/image_config/rsyslog/rsyslog-container.conf.j2 new file mode 100644 index 000000000000..d17fbb6767ba --- /dev/null +++ b/files/image_config/rsyslog/rsyslog-container.conf.j2 @@ -0,0 +1,76 @@ +# +# /etc/rsyslog.conf Configuration file for rsyslog. +# +# For more information see +# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html + + +################# +#### MODULES #### +################# + +$ModLoad imuxsock # provides support for local system logging + +# +# Set a rate limit on messages from the container +# +$SystemLogRateLimitInterval 300 +$SystemLogRateLimitBurst 20000 + +#$ModLoad imklog # provides kernel logging support +#$ModLoad immark # provides --MARK-- message capability + +# provides UDP syslog reception +#$ModLoad imudp +#$UDPServerRun 514 + +# provides TCP syslog reception +#$ModLoad imtcp +#$InputTCPServerRun 514 + + +########################### +#### GLOBAL DIRECTIVES #### +########################### + +# Set remote syslog server +template (name="ForwardFormatInContainer" type="string" string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% {{container_name}}#%syslogtag%%msg:::sp-if-no-1st-sp%%msg%") +*.* action(type="omfwd" target="{{target_ip}}" port="514" protocol="udp" Template="ForwardFormatInContainer") + +# +# Use traditional timestamp format. +# To enable high precision timestamps, comment out the following line. +# +#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# Define a custom template +$template SONiCFileFormat,"%TIMESTAMP%.%timestamp:::date-subseconds% %HOSTNAME% %syslogseverity-text:::uppercase% {{container_name}}#%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" +$ActionFileDefaultTemplate SONiCFileFormat + +# +# Set the default permissions for all log files. +# +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +# +# Where to place spool and state files +# +$WorkDirectory /var/spool/rsyslog + +# +# Include all config files in /etc/rsyslog.d/ +# +$IncludeConfig /etc/rsyslog.d/*.conf + +# +# Suppress duplicate messages and report "message repeated n times" +# +$RepeatedMsgReduction on + +############### +#### RULES #### +############### diff --git a/files/image_config/rsyslog/rsyslog.conf.j2 b/files/image_config/rsyslog/rsyslog.conf.j2 index fbf8bf20160a..37410293a45f 100644 --- a/files/image_config/rsyslog/rsyslog.conf.j2 +++ b/files/image_config/rsyslog/rsyslog.conf.j2 @@ -19,7 +19,7 @@ $ModLoad imklog # provides kernel logging support # provides UDP syslog reception $ModLoad imudp -$UDPServerAddress 127.0.0.1 # bind to localhost before udp server run +$UDPServerAddress {{udp_server_ip}} #bind to localhost before udp server run $UDPServerRun 514 # provides TCP syslog reception From 22bf545bb6d1285caee1a3fd620a55464b894c86 Mon Sep 17 00:00:00 2001 From: Volodymyr Boiko <66446128+vboykox@users.noreply.github.com> Date: Tue, 30 Jun 2020 19:07:37 +0300 Subject: [PATCH 03/11] [sonic-platform-common] Update submodule (#4871) * src/sonic-platform-common 82bbeab...42781ff (1): > [SfpBase] Fix key name typo in docstring (#99) Signed-off-by: Volodymyr Boyko --- src/sonic-platform-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sonic-platform-common b/src/sonic-platform-common index 82bbeabc59b7..42781ff90413 160000 --- a/src/sonic-platform-common +++ b/src/sonic-platform-common @@ -1 +1 @@ -Subproject commit 82bbeabc59b78886b5cadffe0998c8fe67031343 +Subproject commit 42781ff90413efe2ff709908a5318c85ca67f058 From ba234abd2b6f0d3a7deb8073b6c4b349cec1a3e7 Mon Sep 17 00:00:00 2001 From: Kebo Liu Date: Tue, 30 Jun 2020 21:32:56 +0300 Subject: [PATCH 04/11] [mellanox]: Update SAI to 1.16.5 (#4873) 1. Upgrade SAI headers to v1.6.3 2. Fix traffic lost during FFB related to buffer config + optimize buffer config timing for FB 3. Add ACL fields BTH, IP flags 4. Add ACL infrastructure of different fields per ASIC type --- platform/mellanox/mlnx-sai.mk | 2 +- platform/mellanox/mlnx-sai/SAI-Implementation | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/platform/mellanox/mlnx-sai.mk b/platform/mellanox/mlnx-sai.mk index ba954beb7ae0..a978926f33e1 100644 --- a/platform/mellanox/mlnx-sai.mk +++ b/platform/mellanox/mlnx-sai.mk @@ -1,6 +1,6 @@ # Mellanox SAI -MLNX_SAI_VERSION = SAIRel1.16.4.1-sai16 +MLNX_SAI_VERSION = SAIRel1.16.5-sai16 export MLNX_SAI_VERSION diff --git a/platform/mellanox/mlnx-sai/SAI-Implementation b/platform/mellanox/mlnx-sai/SAI-Implementation index b318bb380ac1..0ddcb4e6d12e 160000 --- a/platform/mellanox/mlnx-sai/SAI-Implementation +++ b/platform/mellanox/mlnx-sai/SAI-Implementation @@ -1 +1 @@ -Subproject commit b318bb380ac13dba98c94b163fbe644ab7eb236e +Subproject commit 0ddcb4e6d12efdd5255529ed53cc785351e8b3b3 From 6e1ae359f32a6dfd568c5767df4567f531718edb Mon Sep 17 00:00:00 2001 From: judyjoseph <53951155+judyjoseph@users.noreply.github.com> Date: Tue, 30 Jun 2020 14:32:04 -0700 Subject: [PATCH 05/11] Support for connecting to DB in namespace via TCP port in multi-asic platform. (#4779) * Support for connecting to DB in namespace via IP:port ( using docker bridge network ) for applications in multi-asic platform. * Added the default IP as 127.0.0.1 if the IPaddress derivation from interface fails. Moved the localhost loopback IP binding logic into the supervisor.j2 file. --- .../docker-database/database_config.json.j2 | 2 +- .../docker-database/docker-database-init.sh | 19 ++++++++++++++++++- dockers/docker-database/supervisord.conf.j2 | 7 ++++++- 3 files changed, 25 insertions(+), 3 deletions(-) diff --git a/dockers/docker-database/database_config.json.j2 b/dockers/docker-database/database_config.json.j2 index 3383ec161144..6d116b5e1ae0 100644 --- a/dockers/docker-database/database_config.json.j2 +++ b/dockers/docker-database/database_config.json.j2 @@ -1,7 +1,7 @@ { "INSTANCES": { "redis":{ - "hostname" : "127.0.0.1", + "hostname" : "{{HOST_IP}}", "port" : 6379, "unix_socket_path" : "/var/run/redis{{NAMESPACE_ID}}/redis.sock", "persistence_for_warm_boot" : "yes" diff --git a/dockers/docker-database/docker-database-init.sh b/dockers/docker-database/docker-database-init.sh index 5dae34d8f616..645a7d99272a 100755 --- a/dockers/docker-database/docker-database-init.sh +++ b/dockers/docker-database/docker-database-init.sh @@ -1,12 +1,29 @@ #!/usr/bin/env bash +# For linux host namespace, in both single and multi ASIC platform use the loopback interface +# For other namespaces, use eth0 interface which is connected to the docker0 bridge in the host. +if [[ $NAMESPACE_ID == "" ]] +then + INTFC=lo +else + INTFC=eth0 +fi + +# Get the ip address of the interface +# if the ip address was not retrieved correctly, put localhost(127.0.0.1) as the default. +host_ip=$(ip -4 -o addr show $INTFC | awk '{print $4}' | cut -d'/' -f1 | head -1) +if [[ $host_ip == "" ]] +then + host_ip=127.0.0.1 +fi + REDIS_DIR=/var/run/redis$NAMESPACE_ID mkdir -p $REDIS_DIR/sonic-db if [ -f /etc/sonic/database_config$NAMESPACE_ID.json ]; then cp /etc/sonic/database_config$NAMESPACE_ID.json $REDIS_DIR/sonic-db/database_config.json else - j2 /usr/share/sonic/templates/database_config.json.j2 > $REDIS_DIR/sonic-db/database_config.json + HOST_IP=$host_ip j2 /usr/share/sonic/templates/database_config.json.j2 > $REDIS_DIR/sonic-db/database_config.json fi mkdir -p /etc/supervisor/conf.d/ diff --git a/dockers/docker-database/supervisord.conf.j2 b/dockers/docker-database/supervisord.conf.j2 index 44268274cdad..6d4557dab705 100644 --- a/dockers/docker-database/supervisord.conf.j2 +++ b/dockers/docker-database/supervisord.conf.j2 @@ -20,7 +20,12 @@ stderr_logfile=syslog {% if INSTANCES %} {% for redis_inst, redis_items in INSTANCES.iteritems() %} [program: {{ redis_inst }}] -command=/bin/bash -c "{ [[ -s /var/lib/{{ redis_inst }}/dump.rdb ]] || rm -f /var/lib/{{ redis_inst }}/dump.rdb; } && mkdir -p /var/lib/{{ redis_inst }} && exec /usr/bin/redis-server /etc/redis/redis.conf --port {{ redis_items['port'] }} --unixsocket {{ redis_items['unix_socket_path'] }} --pidfile /var/run/redis/{{ redis_inst }}.pid --dir /var/lib/{{ redis_inst }}" +{% if redis_items['hostname'] != '127.0.0.1' %} +{%- set LOOPBACK_IP = '127.0.0.1' -%} +{%- else -%} +{%- set LOOPBACK_IP = '' -%} +{%- endif -%} +command=/bin/bash -c "{ [[ -s /var/lib/{{ redis_inst }}/dump.rdb ]] || rm -f /var/lib/{{ redis_inst }}/dump.rdb; } && mkdir -p /var/lib/{{ redis_inst }} && exec /usr/bin/redis-server /etc/redis/redis.conf --bind {{ LOOPBACK_IP }} {{ redis_items['hostname'] }} --port {{ redis_items['port'] }} --unixsocket {{ redis_items['unix_socket_path'] }} --pidfile /var/run/redis/{{ redis_inst }}.pid --dir /var/lib/{{ redis_inst }}" priority=2 autostart=true autorestart=false From ed7fafce7741f4641d128f8c053eabfeaac7de80 Mon Sep 17 00:00:00 2001 From: Mahesh Maddikayala <10645050+smaheshm@users.noreply.github.com> Date: Tue, 30 Jun 2020 16:29:47 -0700 Subject: [PATCH 06/11] [sonic-sairedis] sonic-sairedis submodule update (#4847) * sonic-sairedis submodule update * Update BRCM SAI to 3.7.5.1 --- platform/broadcom/sai.mk | 8 ++++---- src/sonic-sairedis | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/platform/broadcom/sai.mk b/platform/broadcom/sai.mk index 572ae0a70f68..8599e712a3ff 100644 --- a/platform/broadcom/sai.mk +++ b/platform/broadcom/sai.mk @@ -1,8 +1,8 @@ -BRCM_SAI = libsaibcm_3.7.4.2-2_amd64.deb -$(BRCM_SAI)_URL = "https://sonicstorage.blob.core.windows.net/packages/bcmsai/3.7/libsaibcm_3.7.4.2-2_amd64.deb?sv=2015-04-05&sr=b&sig=sl819d71a%2BcgrDtOt%2BmywfSL9N2EQS58qMJFq0aKqo8%3D&se=2034-02-11T20%3A28%3A46Z&sp=r" -BRCM_SAI_DEV = libsaibcm-dev_3.7.4.2-2_amd64.deb +BRCM_SAI = libsaibcm_3.7.5.1_amd64.deb +$(BRCM_SAI)_URL = "https://sonicstorage.blob.core.windows.net/packages/bcmsai/3.7/libsaibcm_3.7.5.1_amd64.deb?sv=2015-04-05&sr=b&sig=hZLFA8GbuY83MW9g2ggfe53ATx9riuyL1JYXIe1Bib4%3D&se=2034-03-04T00%3A08%3A23Z&sp=r" +BRCM_SAI_DEV = libsaibcm-dev_3.7.5.1_amd64.deb $(eval $(call add_derived_package,$(BRCM_SAI),$(BRCM_SAI_DEV))) -$(BRCM_SAI_DEV)_URL = "https://sonicstorage.blob.core.windows.net/packages/bcmsai/3.7/libsaibcm-dev_3.7.4.2-2_amd64.deb?sv=2015-04-05&sr=b&sig=cvOpP0PWFVmBNeYLMkxyI4BFBQf1DopD32t%2B3AkJHRg%3D&se=2034-02-11T20%3A27%3A46Z&sp=r" +$(BRCM_SAI_DEV)_URL = "https://sonicstorage.blob.core.windows.net/packages/bcmsai/3.7/libsaibcm-dev_3.7.5.1_amd64.deb?sv=2015-04-05&sr=b&sig=i5GcJ8ATr4NL5iLth6DrX8YXxe7ir5OsXN7fxJISvCE%3D&se=2034-03-04T00%3A09%3A48Z&sp=r" SONIC_ONLINE_DEBS += $(BRCM_SAI) $(BRCM_SAI_DEV)_DEPENDS += $(BRCM_SAI) diff --git a/src/sonic-sairedis b/src/sonic-sairedis index 322dd01db434..ef721595520d 160000 --- a/src/sonic-sairedis +++ b/src/sonic-sairedis @@ -1 +1 @@ -Subproject commit 322dd01db434d00394898d4d1ac34433e95447cd +Subproject commit ef721595520d827277610d11e24082934afc4df8 From 218714441b35f9188aea1d204f71de4d12c75967 Mon Sep 17 00:00:00 2001 From: Akhilesh Samineni <47657796+AkhileshSamineni@users.noreply.github.com> Date: Wed, 1 Jul 2020 15:22:52 +0530 Subject: [PATCH 07/11] [docker-nat]: Updated the NAT iptables patch for 4.19 buster (#4843) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updated the NAT iptables patch for 4.19 buster Depends on PR : Azure/sonic-linux-kernel#147 1 Known issue: With both NAT patch files for 4.19 buster kernel, seeing 1 display issue in iptables like explained below On Docker NAT, iptables supported version is 1.6.0 and on base OS it’s 1.8.2. So seeing an display issue of which fullcone option is not showing in version 1.8.2 iptables output and no issues in functionality. Display issue – For example of comparsion: NAT Docker: root@sonic:/home/admin# docker exec -it nat bash root@sonic:/# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:1.1.1.1 fullcone Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 30 packets, 2749 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 30 packets, 2749 bytes) pkts bytes target prot opt in out source destination root@sonic:/# Base OS: root@sonic:/home/admin# iptables-legacy -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1 36 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:1.1.1.1 Chain INPUT (policy ACCEPT 1 packets, 36 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 41 packets, 3572 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 41 packets, 3572 bytes) pkts bytes target prot opt in out source destination root@sonic:/home/admin# To fix this issue, iptables need to update from 1.6.0 to 1.8.2 version and have to update the NAT docker from stretch to buster. Will raise a new PR with this. Signed-off-by: Akhilesh Samineni akhilesh.samineni@broadcom.com Signed-off-by: Akhilesh Samineni --- .../0001-Passing-fullcone-option-for-SNAT-and-DNAT.patch | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/iptables/patch/0001-Passing-fullcone-option-for-SNAT-and-DNAT.patch b/src/iptables/patch/0001-Passing-fullcone-option-for-SNAT-and-DNAT.patch index f7fba85a270b..528ce8edea2d 100644 --- a/src/iptables/patch/0001-Passing-fullcone-option-for-SNAT-and-DNAT.patch +++ b/src/iptables/patch/0001-Passing-fullcone-option-for-SNAT-and-DNAT.patch @@ -19,7 +19,7 @@ index a14d16f..4bfab98 100644 +/* Temporarily defining here, need to be picked up from the + * new kernel header linux/netfilter/nf_nat.h */ -+#define NF_NAT_RANGE_FULLCONE (1 << 5) ++#define NF_NAT_RANGE_FULLCONE (1 << 6) + enum { O_TO_DEST = 0, @@ -106,7 +106,7 @@ index b7b5fc7..88ff650 100644 +/* Temporarily defining here, need to be picked up from the + * new kernel header linux/netfilter/nf_nat.h */ -+#define NF_NAT_RANGE_FULLCONE (1 << 5) ++#define NF_NAT_RANGE_FULLCONE (1 << 6) + enum { O_TO_PORTS = 0, @@ -181,7 +181,7 @@ index e92d811..9634ba9 100644 +/* Temporarily defining here, need to be picked up from the + * new kernel header linux/netfilter/nf_nat.h */ -+#define NF_NAT_RANGE_FULLCONE (1 << 5) ++#define NF_NAT_RANGE_FULLCONE (1 << 6) + enum { O_TO_SRC = 0, From 243268f11c202a5f2140c5312136b8fd1ceb8e68 Mon Sep 17 00:00:00 2001 From: Mahesh Maddikayala <10645050+smaheshm@users.noreply.github.com> Date: Wed, 1 Jul 2020 09:08:21 -0700 Subject: [PATCH 08/11] Fix in libsaibcm for high CPU utilization of syncd (#4874) --- platform/broadcom/sai.mk | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/platform/broadcom/sai.mk b/platform/broadcom/sai.mk index 8599e712a3ff..bda1231bf2a9 100644 --- a/platform/broadcom/sai.mk +++ b/platform/broadcom/sai.mk @@ -1,8 +1,8 @@ -BRCM_SAI = libsaibcm_3.7.5.1_amd64.deb -$(BRCM_SAI)_URL = "https://sonicstorage.blob.core.windows.net/packages/bcmsai/3.7/libsaibcm_3.7.5.1_amd64.deb?sv=2015-04-05&sr=b&sig=hZLFA8GbuY83MW9g2ggfe53ATx9riuyL1JYXIe1Bib4%3D&se=2034-03-04T00%3A08%3A23Z&sp=r" -BRCM_SAI_DEV = libsaibcm-dev_3.7.5.1_amd64.deb +BRCM_SAI = libsaibcm_3.7.5.1-1_amd64.deb +$(BRCM_SAI)_URL = "https://sonicstorage.blob.core.windows.net/packages/bcmsai/3.7/master/libsaibcm_3.7.5.1-1_amd64.deb?sv=2015-04-05&sr=b&sig=vSaGIDz2fHBtQXmwJ8OrulAF1N%2Bwk%2B51CkqwNiZFx6I%3D&se=2034-03-10T00%3A45%3A39Z&sp=r" +BRCM_SAI_DEV = libsaibcm-dev_3.7.5.1-1_amd64.deb $(eval $(call add_derived_package,$(BRCM_SAI),$(BRCM_SAI_DEV))) -$(BRCM_SAI_DEV)_URL = "https://sonicstorage.blob.core.windows.net/packages/bcmsai/3.7/libsaibcm-dev_3.7.5.1_amd64.deb?sv=2015-04-05&sr=b&sig=i5GcJ8ATr4NL5iLth6DrX8YXxe7ir5OsXN7fxJISvCE%3D&se=2034-03-04T00%3A09%3A48Z&sp=r" +$(BRCM_SAI_DEV)_URL = "https://sonicstorage.blob.core.windows.net/packages/bcmsai/3.7/master/libsaibcm-dev_3.7.5.1-1_amd64.deb?sv=2015-04-05&sr=b&sig=XpczZg8q3b2z3754wXdc4faOXOFofdlydJKEQaed01o%3D&se=2034-03-10T00%3A46%3A38Z&sp=r" SONIC_ONLINE_DEBS += $(BRCM_SAI) $(BRCM_SAI_DEV)_DEPENDS += $(BRCM_SAI) From 59010f0d56a823e713bdc4f07ff9b5d052ca1665 Mon Sep 17 00:00:00 2001 From: Pavel Shirshov Date: Wed, 1 Jul 2020 13:11:32 -0700 Subject: [PATCH 09/11] Use jinja2 python package from pypi --- sonic-slave-buster/Dockerfile.j2 | 5 +---- sonic-slave-jessie/Dockerfile.j2 | 3 +-- sonic-slave-stretch/Dockerfile.j2 | 5 +---- 3 files changed, 3 insertions(+), 10 deletions(-) diff --git a/sonic-slave-buster/Dockerfile.j2 b/sonic-slave-buster/Dockerfile.j2 index 87f39c10b9b3..d24e73ea87f2 100644 --- a/sonic-slave-buster/Dockerfile.j2 +++ b/sonic-slave-buster/Dockerfile.j2 @@ -232,7 +232,6 @@ RUN apt-get update && apt-get install -y \ libjs-sphinxdoc \ libjs-underscore \ python-docutils \ - python-jinja2 \ python-markupsafe \ python-pygments \ python-roman \ @@ -241,7 +240,6 @@ RUN apt-get update && apt-get install -y \ python3-sphinx \ # For sonic config engine testing python-lxml \ - python-jinja2 \ python-netaddr \ python-ipaddr \ python-yaml \ @@ -342,8 +340,7 @@ RUN pip install \ # For sonic config engine testing RUN pip install pyangbind==0.6.0 -# Note: force upgrade debian packaged jinja2, if installed -RUN pip install --force-reinstall --upgrade "jinja2>=2.10" +RUN pip install "jinja2>=2.10" # For templating RUN pip install j2cli==0.3.10 diff --git a/sonic-slave-jessie/Dockerfile.j2 b/sonic-slave-jessie/Dockerfile.j2 index 2df3828c4096..0975ec2915e5 100644 --- a/sonic-slave-jessie/Dockerfile.j2 +++ b/sonic-slave-jessie/Dockerfile.j2 @@ -304,8 +304,7 @@ RUN pip install \ # For sonic config engine testing RUN pip install pyangbind==0.6.0 -# Note: force upgrade debian packaged jinja2, if installed -RUN pip install --force-reinstall --upgrade "jinja2>=2.10" +RUN pip install "jinja2>=2.10" # For templating (requiring jinja2) RUN pip install j2cli==0.3.10 diff --git a/sonic-slave-stretch/Dockerfile.j2 b/sonic-slave-stretch/Dockerfile.j2 index c145465bb191..f1fe144df650 100644 --- a/sonic-slave-stretch/Dockerfile.j2 +++ b/sonic-slave-stretch/Dockerfile.j2 @@ -233,7 +233,6 @@ RUN apt-get update && apt-get install -y \ libjs-sphinxdoc \ libjs-underscore \ python-docutils \ - python-jinja2 \ python-markupsafe \ python-pygments \ python-roman \ @@ -242,7 +241,6 @@ RUN apt-get update && apt-get install -y \ python3-sphinx \ # For sonic config engine testing python-lxml \ - python-jinja2 \ python-netaddr \ python-ipaddr \ python-yaml \ @@ -341,8 +339,7 @@ RUN pip install \ # For sonic config engine testing RUN pip install pyangbind==0.6.0 -# Note: force upgrade debian packaged jinja2, if installed -RUN pip install --force-reinstall --upgrade "jinja2>=2.10" +RUN pip install "jinja2>=2.10" # For templating RUN pip install j2cli==0.3.10 From 1fae8e4e321895c50da67002f9ea92e1eb797c15 Mon Sep 17 00:00:00 2001 From: Pavel Shirshov Date: Wed, 1 Jul 2020 13:17:34 -0700 Subject: [PATCH 10/11] Pin the jinja2 version --- sonic-slave-buster/Dockerfile.j2 | 2 +- sonic-slave-jessie/Dockerfile.j2 | 2 +- sonic-slave-stretch/Dockerfile.j2 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/sonic-slave-buster/Dockerfile.j2 b/sonic-slave-buster/Dockerfile.j2 index d24e73ea87f2..5768163ccb41 100644 --- a/sonic-slave-buster/Dockerfile.j2 +++ b/sonic-slave-buster/Dockerfile.j2 @@ -340,7 +340,7 @@ RUN pip install \ # For sonic config engine testing RUN pip install pyangbind==0.6.0 -RUN pip install "jinja2>=2.10" +RUN pip install Jinja2==2.11.2 # For templating RUN pip install j2cli==0.3.10 diff --git a/sonic-slave-jessie/Dockerfile.j2 b/sonic-slave-jessie/Dockerfile.j2 index 0975ec2915e5..885e1f2cc5cd 100644 --- a/sonic-slave-jessie/Dockerfile.j2 +++ b/sonic-slave-jessie/Dockerfile.j2 @@ -304,7 +304,7 @@ RUN pip install \ # For sonic config engine testing RUN pip install pyangbind==0.6.0 -RUN pip install "jinja2>=2.10" +RUN pip install Jinja2==2.11.2 # For templating (requiring jinja2) RUN pip install j2cli==0.3.10 diff --git a/sonic-slave-stretch/Dockerfile.j2 b/sonic-slave-stretch/Dockerfile.j2 index f1fe144df650..5baf4bc3df8d 100644 --- a/sonic-slave-stretch/Dockerfile.j2 +++ b/sonic-slave-stretch/Dockerfile.j2 @@ -339,7 +339,7 @@ RUN pip install \ # For sonic config engine testing RUN pip install pyangbind==0.6.0 -RUN pip install "jinja2>=2.10" +RUN pip install Jinja2==2.11.2 # For templating RUN pip install j2cli==0.3.10 From b8872dcec9b8d54440bd66232d9fb017ba3d9e06 Mon Sep 17 00:00:00 2001 From: Pavel Shirshov Date: Wed, 1 Jul 2020 15:54:50 -0700 Subject: [PATCH 11/11] Update --- sonic-slave-buster/Dockerfile.j2 | 1 - sonic-slave-jessie/Dockerfile.j2 | 3 ++- sonic-slave-stretch/Dockerfile.j2 | 3 +-- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/sonic-slave-buster/Dockerfile.j2 b/sonic-slave-buster/Dockerfile.j2 index 5768163ccb41..04197e91ce42 100644 --- a/sonic-slave-buster/Dockerfile.j2 +++ b/sonic-slave-buster/Dockerfile.j2 @@ -340,7 +340,6 @@ RUN pip install \ # For sonic config engine testing RUN pip install pyangbind==0.6.0 -RUN pip install Jinja2==2.11.2 # For templating RUN pip install j2cli==0.3.10 diff --git a/sonic-slave-jessie/Dockerfile.j2 b/sonic-slave-jessie/Dockerfile.j2 index 885e1f2cc5cd..fdc53626dc77 100644 --- a/sonic-slave-jessie/Dockerfile.j2 +++ b/sonic-slave-jessie/Dockerfile.j2 @@ -304,7 +304,8 @@ RUN pip install \ # For sonic config engine testing RUN pip install pyangbind==0.6.0 -RUN pip install Jinja2==2.11.2 +# Note: force upgrade debian packaged jinja2, if installed RUN pip install Jinja2==2.11.2 +RUN pip install --force-reinstall --upgrade "Jinja2>=2.11.2" # For templating (requiring jinja2) RUN pip install j2cli==0.3.10 diff --git a/sonic-slave-stretch/Dockerfile.j2 b/sonic-slave-stretch/Dockerfile.j2 index 5baf4bc3df8d..2e8248f8cfb7 100644 --- a/sonic-slave-stretch/Dockerfile.j2 +++ b/sonic-slave-stretch/Dockerfile.j2 @@ -37,7 +37,7 @@ RUN echo "deb [arch=arm64] http://deb.debian.org/debian stretch main contrib non ## Make apt-get non-interactive ENV DEBIAN_FRONTEND=noninteractive -RUN apt-get update && apt-get install -y \ +RUN apt-get update && apt-get install -t stretch-backports -y \ apt-utils \ default-jre-headless \ openssh-server \ @@ -339,7 +339,6 @@ RUN pip install \ # For sonic config engine testing RUN pip install pyangbind==0.6.0 -RUN pip install Jinja2==2.11.2 # For templating RUN pip install j2cli==0.3.10