From 3437e35f7e0cc258b39ba5cef1e659b66c85b9f5 Mon Sep 17 00:00:00 2001 From: Suvarna Meenakshi Date: Fri, 19 Aug 2022 18:46:47 +0000 Subject: [PATCH 1/4] [caclmgrd][chassis]: Add ip tables rules to accept internal docker traffic from fabric asic namespaces. Signed-off-by: Suvarna Meenakshi --- scripts/caclmgrd | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/scripts/caclmgrd b/scripts/caclmgrd index 19e42a8b48a8..9974a16cd109 100755 --- a/scripts/caclmgrd +++ b/scripts/caclmgrd @@ -135,22 +135,26 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): self.config_db_map[front_asic_namespace] = swsscommon.ConfigDBConnector(use_unix_socket_path=True, namespace=front_asic_namespace) self.config_db_map[front_asic_namespace].connect() - self.iptables_cmd_ns_prefix[front_asic_namespace] = "ip netns exec " + front_asic_namespace + " " - self.namespace_docker_mgmt_ip[front_asic_namespace] = self.get_namespace_mgmt_ip(self.iptables_cmd_ns_prefix[front_asic_namespace], - front_asic_namespace) - self.namespace_docker_mgmt_ipv6[front_asic_namespace] = self.get_namespace_mgmt_ipv6(self.iptables_cmd_ns_prefix[front_asic_namespace], - front_asic_namespace) + self.update_docker_mgmt_ip_acl(front_asic_namespace) for back_asic_namespace in namespaces['back_ns']: self.update_thread[back_asic_namespace] = None self.lock[back_asic_namespace] = threading.Lock() self.num_changes[back_asic_namespace] = 0 - - self.iptables_cmd_ns_prefix[back_asic_namespace] = "ip netns exec " + back_asic_namespace + " " - self.namespace_docker_mgmt_ip[back_asic_namespace] = self.get_namespace_mgmt_ip(self.iptables_cmd_ns_prefix[back_asic_namespace], - back_asic_namespace) - self.namespace_docker_mgmt_ipv6[back_asic_namespace] = self.get_namespace_mgmt_ipv6(self.iptables_cmd_ns_prefix[back_asic_namespace], - back_asic_namespace) + self.update_docket_mgmt_ip_acl(back_asic_namespace) + + for fabric_asic_namespace in namespaces['fabric_ns']: + self.update_thread[fabric_asic_namespace] = None + self.lock[fabric_asic_namespace] = threading.Lock() + self.num_changes[fabric_asic_namespace] = 0 + self.update_docket_mgmt_ip_acl(fabric_asic_namespace) + + def update_docket_mgmt_ip_acl(self, namespace): + self.iptables_cmd_ns_prefix[namespace] = "ip netns exec " + namespace + " " + self.namespace_docker_mgmt_ip[namespace] = self.get_namespace_mgmt_ip(self.iptables_cmd_ns_prefix[namespace], + namespace) + self.namespace_docker_mgmt_ipv6[namespace] = self.get_namespace_mgmt_ipv6(self.iptables_cmd_ns_prefix[namespace], + namespace) def get_namespace_mgmt_ip(self, iptable_ns_cmd_prefix, namespace): ip_address_get_command = iptable_ns_cmd_prefix + "ip -4 -o addr show " + ("eth0" if namespace else "docker0") +\ From 35c76cb3e7cc712ac18e74171535b26a238aa971 Mon Sep 17 00:00:00 2001 From: Suvarna Meenakshi Date: Fri, 2 Sep 2022 17:05:32 +0000 Subject: [PATCH 2/4] Add unit-test and fix typo. Signed-off-by: Suvarna Meenakshi --- scripts/caclmgrd | 6 ++-- .../caclmgrd_namespace_docker_ip_test.py | 29 +++++++++++++++++++ 2 files changed, 32 insertions(+), 3 deletions(-) create mode 100644 tests/caclmgrd/caclmgrd_namespace_docker_ip_test.py diff --git a/scripts/caclmgrd b/scripts/caclmgrd index 9974a16cd109..ede67707b8dc 100755 --- a/scripts/caclmgrd +++ b/scripts/caclmgrd @@ -141,15 +141,15 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): self.update_thread[back_asic_namespace] = None self.lock[back_asic_namespace] = threading.Lock() self.num_changes[back_asic_namespace] = 0 - self.update_docket_mgmt_ip_acl(back_asic_namespace) + self.update_docker_mgmt_ip_acl(back_asic_namespace) for fabric_asic_namespace in namespaces['fabric_ns']: self.update_thread[fabric_asic_namespace] = None self.lock[fabric_asic_namespace] = threading.Lock() self.num_changes[fabric_asic_namespace] = 0 - self.update_docket_mgmt_ip_acl(fabric_asic_namespace) + self.update_docker_mgmt_ip_acl(fabric_asic_namespace) - def update_docket_mgmt_ip_acl(self, namespace): + def update_docker_mgmt_ip_acl(self, namespace): self.iptables_cmd_ns_prefix[namespace] = "ip netns exec " + namespace + " " self.namespace_docker_mgmt_ip[namespace] = self.get_namespace_mgmt_ip(self.iptables_cmd_ns_prefix[namespace], namespace) diff --git a/tests/caclmgrd/caclmgrd_namespace_docker_ip_test.py b/tests/caclmgrd/caclmgrd_namespace_docker_ip_test.py new file mode 100644 index 000000000000..0a15aeacb9c7 --- /dev/null +++ b/tests/caclmgrd/caclmgrd_namespace_docker_ip_test.py @@ -0,0 +1,29 @@ +import os +import sys + +from sonic_py_common.general import load_module_from_source +from unittest import TestCase, mock + +class TestCaclmgrdNamespaceDockerIP(TestCase): + """ + Test caclmgrd Namespace docker management IP + """ + def setUp(self): + test_path = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) + modules_path = os.path.dirname(test_path) + scripts_path = os.path.join(modules_path, "scripts") + sys.path.insert(0, modules_path) + caclmgrd_path = os.path.join(scripts_path, 'caclmgrd') + self.caclmgrd = load_module_from_source('caclmgrd', caclmgrd_path) + self.maxDiff = None + + def test_caclmgrd_namespace_docker_ip(self): + self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ip = mock.MagicMock(return_value=[]) + self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ipv6 = mock.MagicMock(return_value=[]) + with mock.patch('sonic_py_common.multi_asic.get_all_namespaces', + return_value={'front_ns': ['asic0'], 'back_ns': ['asic1'], 'fabric_ns': ['asic2']}): + caclmgrd_daemon = self.caclmgrd.ControlPlaneAclManager("caclmgrd") + self.assertTrue('asic0' in caclmgrd_daemon.namespace_docker_mgmt_ip) + self.assertTrue('asic1' in caclmgrd_daemon.namespace_docker_mgmt_ip) + self.assertTrue('asic2' in caclmgrd_daemon.namespace_docker_mgmt_ip) + self.assertListEqual(caclmgrd_daemon.namespace_docker_mgmt_ip['asic0'], []) From b4b368db50c0adaca1801227afd4e73b9fc412aa Mon Sep 17 00:00:00 2001 From: Zhaohui Sun Date: Sun, 4 Sep 2022 04:38:51 +0000 Subject: [PATCH 3/4] Add warning log if destination port is not defined Signed-off-by: Zhaohui Sun --- scripts/caclmgrd | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/scripts/caclmgrd b/scripts/caclmgrd index 8a9f99829636..e7f393190bb1 100755 --- a/scripts/caclmgrd +++ b/scripts/caclmgrd @@ -551,6 +551,8 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): ip_protocols = self.ACL_SERVICES[acl_service]["ip_protocols"] if "dst_ports" in self.ACL_SERVICES[acl_service]: dst_ports = self.ACL_SERVICES[acl_service]["dst_ports"] + else: + dst_ports = [] acl_rules = {} @@ -604,6 +606,12 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): self.log_warning("Unable to determine if ACL table '{}' contains IPv4 or IPv6 rules. Skipping table..." .format(table_name)) continue + # If no destination port found for this ACL table, + # log a message and skip processing this table. + if len(dst_ports) == 0: + self.log_warning("Required destination port not found for ACL table '{}'. Skipping table..." + .format(table_name)) + continue ipv4_src_ip_set = set() ipv6_src_ip_set = set() # For each ACL rule in this table (in descending order of priority) From bceb13e26273582b87dcce10c20f8ee67b32fb4d Mon Sep 17 00:00:00 2001 From: Hua Liu <58683130+liuh-80@users.noreply.github.com> Date: Fri, 16 Sep 2022 09:53:43 +0800 Subject: [PATCH 4/4] Install libyang to azure pipeline (#20) #### Why I did it sonic-swss-common lib will add dependency to libyang soon, so need install libyang lib to prevent build and UT break. #### How I did it Modify azure pipeline to install libyang in azure pipeline steps. #### How to verify it Pass all UT. #### Which release branch to backport (provide reason below if selected) #### Description for the changelog Modify azure pipeline to install libyang in azure pipeline steps. #### Link to config_db schema for YANG module changes #### A picture of a cute animal (not mandatory but encouraged) --- azure-pipelines.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index a718c80656ec..5ad372b8fa01 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -71,6 +71,7 @@ stages: sudo dpkg -i libnl-route-3-200_*.deb sudo dpkg -i libnl-nf-3-200_*.deb sudo dpkg -i libhiredis0.14_*.deb + sudo dpkg -i libyang_1.0.73_*.deb workingDirectory: $(Pipeline.Workspace)/target/debs/buster/ displayName: 'Install Debian dependencies'