Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

201811 #207

Merged
merged 34 commits into from
Aug 26, 2020
Merged

201811 #207

merged 34 commits into from
Aug 26, 2020

Conversation

Alex-Dai
Copy link
Collaborator

- What I did

- How I did it

- How to verify it

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

jleveque and others added 30 commits June 9, 2020 04:21
@jleveque @yxieca
[caclmgrd] Add some default ACCEPT rules and lastly drop all incoming…
3ee9c5d 
… packets (#4412)

Modified caclmgrd behavior to enhance control plane security as follows:

Upon starting or receiving notification of ACL table/rule changes in Config DB:
1. Add iptables/ip6tables commands to allow all incoming packets from established TCP sessions or new TCP sessions which are related to established TCP sessions
2. Add iptables/ip6tables commands to allow bidirectional ICMPv4 ping and traceroute
3. Add iptables/ip6tables commands to allow bidirectional ICMPv6 ping and traceroute
4. Add iptables/ip6tables commands to allow all incoming Neighbor Discovery Protocol (NDP) NS/NA/RS/RA messages
5. Add iptables/ip6tables commands to allow all incoming IPv4 DHCP packets
6. Add iptables/ip6tables commands to allow all incoming IPv6 DHCP packets
7. Add iptables/ip6tables commands to allow all incoming BGP traffic
8. Add iptables/ip6tables commands for all ACL rules for recognized services (currently SSH, SNMP, NTP)
9. For all services which we did not find configured ACL rules, add iptables/ip6tables commands to allow all incoming packets for those services (allows the device to accept SSH connections before the device is configured)
10. Add iptables rules to drop all packets destined for loopback interface IP addresses
11. Add iptables rules to drop all packets destined for management interface IP addresses
12. Add iptables rules to drop all packets destined for point-to-point interface IP addresses
13. Add iptables rules to drop all packets destined for our VLAN interface gateway IP addresses
14. Add iptables/ip6tables commands to allow all incoming packets with TTL of 0 or 1 (This allows the device to respond to tools like tcptraceroute)
15. If we found control plane ACLs in the configuration and applied them, we lastly add iptables/ip6tables commands to drop all other incoming packets
@qiluo-msft
[submodule] Update submodule: swss-common (#4729)
f71389b 
7c1cce5 2020-05-27 | Fix memory leak in pyext when Selectable is returned to Python (#343)  [pavel-shirshov]
1e8b5ca 2020-04-04 | [table] add hdel operation [Guohan Lu]
50bf741 2020-03-23 | [201811][schema] Add COUNTERS_LAG_NAME_MAP table in COUNTERS_DB (#334) [Joe LeVeque]
@jleveque @yxieca
[caclmgrd] Ignore keys in interface-related tables if no IP prefix is…
7da0c15 
… present (#4581)

Since the introduction of VRF, interface-related tables in ConfigDB will have multiple entries, one of which only contains the interface name and no IP prefix. Thus, when iterating over the keys in the tables, we need to ignore the entries which do not contain IP prefixes.
@santhosh-kt @yxieca
[DellEMC] S6000 Disable Low power mode by default (#4592)
e6312e7
@yozhao101 @yxieca
[docker-syncd] Add timeout to force stop syncd container (#4617)
aa949cd 
**- Why I did it**
When I tested auto-restart feature of swss container by manually killing one of critical processes in it, swss will be stopped. Then syncd container as the peer container should also be
stopped as expected. However, I found sometimes syncd container can be stopped, sometimes
it can not be stopped. The reason why syncd container can not be stopped is the process
(/usr/local/bin/syncd.sh stop) to execute the stop() function will be stuck between the lines 164 –167. Systemd will wait for 90 seconds and then kill this process.

164 # wait until syncd quit gracefully
165 while docker top syncd$DEV | grep -q /usr/bin/syncd; do
166 sleep 0.1
167 done

The first thing I did is to profile how long this while loop will spin if syncd container can be
normally stopped after swss container is stopped. The result is 5 seconds or 6 seconds. If syncd
container can be normally stopped, two messages will be written into syslog:

str-a7050-acs-3 NOTICE syncd#dsserve: child /usr/bin/syncd exited status: 134
str-a7050-acs-3 INFO syncd#supervisord: syncd [5] child /usr/bin/syncd exited status: 134

The second thing I did was to add a timer in the condition of while loop to ensure this while loop will be forced to exit after 20 seconds:

After that, the testing result is that syncd container can be normally stopped if swss is stopped
first. One more thing I want to mention is that if syncd container is stopped during 5 seconds or 6 seconds, then the two log messages can be still seen in syslog. However, if the execution
time of while loop is longer than 20 seconds and is forced to exit, although syncd container can be stopped, I did not see these two messages in syslog. Further, although I observed the auto-restart feature of swss container can work correctly right now, I can not make sure the issue which syncd container can not stopped will occur in future.

**- How I did it**
I added a timer around the while loop in stop() function. This while loop will exit after spinning
20 seconds.

Signed-off-by: Yong Zhao <yozhao@microsoft.com>
@jleveque @yxieca
[caclmgrd] Allow more ICMP types (#4625)
494701a
@pavel-shirshov @lguohan
[sonic-slave]: Install pympler to find the memory leaks in python (#4652
c587f3c 
)
@jleveque @yxieca
[caclmgrd] Get first VLAN host IP address via next() (#4685)
7ae30d7 
I found that with IPv4Network types, calling list(ip_ntwrk.hosts()) is reliable. However, when doing the same with an IPv6Network, I found that the conversion to a list can hang indefinitely. This appears to me to be a bug in the ipaddress.IPv6Network implementation. However, I could not find any other reports on the web.

This patch changes the behavior to call next() on the ip_ntwrk.hosts() generator instead, which returns the IP address of the first host.
@yxieca
[bcm SAI] upgrade Broadcom SAI to version 3.5.3.5-1 (#4739)
d433e52 
- Broadcom SAI 3.5 GA code drop on 20200608.

Changes:
- CS9533198
- CS10283709
- CS00009716645
- CS00010389861
- CS00010406122
- CS00010503275
- Addressed a few memory leak issues.
- Addressed an array memory allocation issue.
- Addressed assert during SER handling.

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
@yxieca
[ntp] disable ntp long jump (#4748)
4cd54ed 
Found another syncd timing issue related to clock going backwards.
To be safe disable the ntp long jump.

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
@yxieca
[201811][swss-common] advance swss-common submoudle head (#4761)
d07649e 
- Add missed BGP tables into the schema (#351)

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
@qiluo-msft
Fix bug: check port alias even when port_config_file parameter is not…
e02de1d 
… provided (#4787)
@jleveque @yxieca
[caclmgrd] Don't limit connection tracking to TCP (#4796)
d9b8bed 
Don't limit iptables connection tracking to TCP protocol; allow connection tracking for all protocols. This allows services like NTP, which is UDP-based, to receive replies from an NTP server even if the port is blocked, as long as it is in reply to a request sent from the device itself.
@padmanarayana @yxieca
[DELL]: FTOS to SONiC fast conversion fixes (#4807)
062fd84 
While migrating to SONiC 20181130, identified a couple of issues:
1. union-mount needs /host/machine.conf parameters for vendor specific checks : however, in case of migration, the /host/machine.conf is extracted from ONIE only in https://github.com/Azure/sonic-buildimage/blob/master/files/image_config/platform/rc.local#L127.
2. Since grub.cfg is updated to have net.ifnames=0 biosdevname=0, 70-persistent-net.rules changes are no longer required.
@tahmed-dev @yxieca
[fast-reboot] Back up FDB/ARP/Default routes (#4795)
ab3400f 
FDB/ARP/Default routes files are deleted after swssconfig. This
makes debugging/validation of device conversion hard. This PR
saves those files in order to facilitate debugging of device conversion.

signed-off-by: Tamer Ahmed <tamer.ahmed@microsoft.com>
@yxieca
[201811][utilities] advance utilities sub module head (#4844)
6fc6220 
[filter-fdb] Check VLAN Presence When Filter FDB (#957)
[mellanox] enable watchdog before fast-reboot (#844)

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
@lguohan
[docker-config-engine]: lockdown netaddr,ipaddr,jinja pip version
d04ad41 
Signed-off-by: Guohan Lu <lguohan@gmail.com>
[201811][platform/cel]: Port fancontrol changes for dx010/e1031 to 20…
c9d86f0 
…1811 branch (#4867)

Update fancontrol service for Seastone-DX010/E1031 device to support hysteresis temperature threshold and difference config for each unit fan direction type (B2F/F2B); follow master branch
@yxieca
[201811][swss] advance swss submodule head (#4935)
ecd93eb 
[aclorch] Use IPv6 Next Header internally for protocol number on MLNX platform (#1343)
Add/Del lag_name_map item according to lag adding and removing (#1124)

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
@zzhiyuan
[201811][Arista] Update Arista submodules (#4939)
a43eec5 
Fix the method get_transceiver_change_event to abide by the function description, return True status and use timeout in milliseconds.

Co-authored-by: Zhi Yuan Carl Zhao <zyzhao@arista.com>
@yxieca
[201811][utilities] advance utilities submodule head (#4947)
0a1f043 
- [filter-fdb] Fix For Vlan Defined With No CIDR (#976)

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
@pavel-shirshov
[quagga]: Update sonic-quagga (#4962)
8a78ff6 
sonic-quagga repository has new fix. Update submodule to bring the fix into the image.
@pavel-shirshov
[201811][quagga]: Use 201811 branch of sonic-quagga (#4966)
b7a0669 
sonic-quagga using utility from master branch of sonic-buildimage. I had to create 201811 branch in sonic-quagga which could work with 201811 branch of sonic-buildimage.
@jleveque
[201811][sonic-platform-daemons] Update submodule (#4974)
3d31ef3
@yxieca
[201811][snmpagent] advance snmpagent submodule head (#4988)
a37a7d3 
- [psutil] pin psutil version to 5.7.0.

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
@jleveque @lguohan
[caclmgrd] Filter DHCP packets based on dest port only (#4995)
cf142e7
@zzhiyuan
[201811][Arista] Update 201811 branch with Arista syseeprom fix (#5016)
59072a6 
If a device had a master or 201911 image then installed a 201811 image, it could result in a prefdl that was not properly processed by 201811 Arista code.

This is a commit that was on 201911 and master branch.

Co-authored-by: Zhi Yuan Carl Zhao <zyzhao@arista.com>
@jleveque @yxieca
[caclmgrd] remove default DROP rule on FORWARD chain (#5034)
6120145
@pavel-shirshov
[bgpcfgd]: Fix bgpcfgd crash on reset Loopback0 ip addresses (#5050)
459c29c 
Fix an error which causes bgpcfgd crash on invalid ip address. Before the fix we had an issue here. When either loopback ipv4 or ipv6 addresses were already set and bgpcfgd received another "SET" message for already set ip loopback address, bgpcfgd will send syslog message about ambiguous ip address (despite the fact that the address is good) and crash of bgpcfgd. With this change this behavior is changed: if we receive ip address and this ip address is already set, bgpcfgd will send this message to the syslog and return from the handler.
@pavel-shirshov
Clarify error message for bgpcfgd update loopback address (#5076)
e03ce8b
Staphylo and others added 4 commits August 12, 2020 09:31
@Staphylo
[201811][Arista] Update arista driver submodules (#5149)
5d891d8
@zhenggen-xu
[201811 Monit] Enable monitoring of SWSS daemons (#5144)
e1e9719 
Signed-off-by: Zhenggen Xu <zxu@linkedin.com>
@santhosh-kt
Dell S6100 Port I2C changes to 201811 branch (#5150)
a2cb920 
* Dell S6100 Port I2C changes to 201811 branch

* Update s6100_i2c_enumeration.sh
@Nakrez @lguohan
[arista/aboot]: Zero out 1st MB before repartitioning (#5220)
c706a10 
The first partition starting point was changed to be 1M as part of this
commit: 6ba2f97. On systems that are misaligned before conversion
(partition start is the first sector), the relica partition that is
left in the first MB can cause problems in Aboot and result in corruption
of the filesystem on the new aligned partition.

Zeroing this old relica makes sure that there is nothing left of the old
partition lying around. There won't be any risk of having Aboot corrupt
the new filesystem because of the old relica.

Signed-off-by: Baptiste Covolato <baptiste@arista.com>
@Alex-Dai Alex-Dai merged commit b884672 into SONIC-DEV:201811 Aug 26, 2020
mudsut4ke pushed a commit that referenced this pull request May 11, 2021
@yxieca
[linux kernel] advance linux kernel submodule head (sonic-net#7559)
51b7c75 
To include change:
* 12d8a0a 2021-05-06 | [dps200] Add dps200 PSU module driver (#207) (HEAD, origin/master, origin/HEAD) [schobtr]

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
jerseyang pushed a commit that referenced this pull request Jun 4, 2021
@qiluo-msft
[202012][swss/platform-daemons/utilities/kernel] Update submodules (s…
4a53031 
…onic-net#7647)

Includes below commits
```
sonic-swss
05f0438 2021-05-19 | Fix build error (sonic-net#1751) [Shi Su]
1682a8d 2021-05-12 | [Bulk mode] Improve log in bulk failures (sonic-net#1740) [Shi Su]
4509e88 2021-04-27 | [routeorch] Add support for blackhole routes (sonic-net#1723) [Shi Su]
642014d 2019-10-31 | [fix] Use the same storm detection condition for queue occupancy non-zero case as the zero case (sonic-net#1111) [Wenda Ni]

sonic-utilities
97fc442 2021-05-10 | [config]: Use mod_entry when editing VLAN_INTERFACE (sonic-net#1602) [Lawrence Lee]
f60d579 2021-04-15 | [techsupport] Update show ip interface command (sonic-net#1562) [Mahesh Maddikayala]
821d29d 2021-04-14 | Fix Multi-ASIC show specific resursive route by using common parsing function (sonic-net#1560) [gechiang]

sonic-linux-kernel
61b331f 2021-05-06 | [dps200] Add dps200 PSU module driver (#207) [schobtr]

sonic-platform-daemons
5d2960f 2021-05-17 | [xcvrd] add support for logging mux_metrics events into state DB (#185) [vdahiya12]
a5c9207 2021-05-11 | [thermalctld] Enable stopping thermal manager (#180) [Junchao-Mellanox]
9123f63 2021-05-10 | [muxcable] Remove Xcvrd Sleep (#174) [Tamer Ahmed]
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tiantianlv tiantianlv tiantianlv approved these changes

@bbinxie bbinxie Awaiting requested review from bbinxie

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.