Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[macsec] Parse masec_enabled and macsec_profile from minigraph #10917

Merged
merged 7 commits into from
Jun 29, 2022
Merged

[macsec] Parse masec_enabled and macsec_profile from minigraph #10917

merged 7 commits into from
Jun 29, 2022

Conversation

judyjoseph
Copy link
Contributor

@judyjoseph judyjoseph commented May 25, 2022
edited
Loading

Why I did it

In the Minigraph the following details are present for macsec configuration

  <LinkMetadataDeclaration>
    <Link xmlns:a="http://schemas.datacontract.org/2004/07/Microsoft.Search.Autopilot.Evolution">
      <a:LinkMetadata>
        <a:Name i:nil="true"/>
        <a:Properties>
          <a:DeviceProperty>
            <a:Name>MacSecEnabled</a:Name>
            <a:Value>True</a:Value>
          </a:DeviceProperty>
        </a:Properties>
        <a:Key>linecard-1:Ethernet1/1;ARISTA01-RH:Ethernet1/1</a:Key>
      </a:LinkMetadata>
    </Link>
    <Properties xmlns:a="http://schemas.datacontract.org/2004/07/Microsoft.Search.Autopilot.Evolution"/>
  </LinkMetadataDeclaration>

<a:DeviceProperty>
  <a:Name>MacSecProfile</a:Name>
  <a:Value>PrimaryKey="macsec-profile" FallbackKey="macsec-profile2" MacsecPolicy=""</a:Value>

Added the following

  1. Support to parse the macsec enabled flag per interface
  2. extract the primary macsec profile name in minigraph and attach it to interfaces where macsecEnabled flag is set.
  3. The PrimaryKey in the MacSecProfile DeviceProperty, is the macsec profile used by default.
  4. The FallbackKey in the MacSecProfile DeviceProperty, is the the macsec profile that will be used during key rotation. This is a manual process for now.

The macsec_profile eg: as below will be pushed into the device as a json file and loaded into the config DB's using "config load command"

1. cat macsec_profile.json

      {
          "MACSEC_PROFILE": {
              "macsec-profile": {
                  "cipher_suite": "GCM-AES-XPN-256",
                  "primary_cak": "cak",
                  "primary_ckn": "ckn",
                  "priority": "0",
                  "rekey_period": "60"
              },
              "macsec-profile2": {
                  "cipher_suite": "GCM-AES-XPN-256",
                  "primary_cak": "cak",  
                  "primary_ckn": "ckn",
                  "priority": "0",
                  "rekey_period": "60"
              }
          }
      }

2. config load macsec_profile.json

How I did it

Added parsing logic in minigraph.py

How to verify it

Verified by generating config_db.json in a multi-asic device.

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

@judyjoseph judyjoseph requested a review from lguohan as a code owner May 25, 2022 01:33
arlakshm
arlakshm reviewed May 30, 2022
View reviewed changes
Copy link
Contributor

@arlakshm arlakshm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add unit tests for these ?

src/sonic-config-engine/minigraph.py Outdated Show resolved Hide resolved
@judyjoseph judyjoseph requested a review from a team as a code owner June 10, 2022 02:01
@judyjoseph
Copy link
Contributor Author

Please add unit tests for these ?

Added unit tests, but there are some validation failures which needs to be further discussed.

Do we need macsec-profile yang checks enforced here, as we are not populating macsec_profile table contents from minigraph.

    Validating yang schema
sonic_yang(6):Note: Below table(s) have no YANG models: PEER_SWITCH, VOQ_INBAND_INTERFACE, SYSTEM_PORT, CONSOLE_PORT, TUNNEL, MUX_CABLE, DEVICE_NEIGHBOR_METADATA, DHCP_SERVER, TELEMETRY, RESTAPI, CONSOLE_SWITCH
sonic_yang(3):Data Loading Failed:Leafref "/sonic-macsec:sonic-macsec/sonic-macsec:MACSEC_PROFILE/sonic-macsec:MACSEC_PROFILE_LIST/sonic-macsec:name" of value "macsec-profile" points to a non-existing leaf.
yang data generated from /sonic/src/sonic-config-engine/tests/sample-voq-graph.xml is not valid: Data Loading Failed
Leafref "/sonic-macsec:sonic-macsec/sonic-macsec:MACSEC_PROFILE/sonic-macsec:MACSEC_PROFILE_LIST/sonic-macsec:name" of value "macsec-profile" points to a non-existing leaf.

@lgtm-com
Copy link

lgtm-com bot commented Jun 13, 2022

This pull request introduces 2 alerts when merging ae13892565ba8d5c710d42000e0ac3635ace61fd into 201792f - view on LGTM.com

new alerts:

  • 2 for Mismatch in multiple assignment

@judyjoseph judyjoseph requested a review from arlakshm June 18, 2022 00:31
@judyjoseph
Copy link
Contributor Author

Please add unit tests for these ?

Added unit tests, but there are some validation failures which needs to be further discussed.

Do we need macsec-profile yang checks enforced here, as we are not populating macsec_profile table contents from minigraph.

    Validating yang schema
sonic_yang(6):Note: Below table(s) have no YANG models: PEER_SWITCH, VOQ_INBAND_INTERFACE, SYSTEM_PORT, CONSOLE_PORT, TUNNEL, MUX_CABLE, DEVICE_NEIGHBOR_METADATA, DHCP_SERVER, TELEMETRY, RESTAPI, CONSOLE_SWITCH
sonic_yang(3):Data Loading Failed:Leafref "/sonic-macsec:sonic-macsec/sonic-macsec:MACSEC_PROFILE/sonic-macsec:MACSEC_PROFILE_LIST/sonic-macsec:name" of value "macsec-profile" points to a non-existing leaf.
yang data generated from /sonic/src/sonic-config-engine/tests/sample-voq-graph.xml is not valid: Data Loading Failed
Leafref "/sonic-macsec:sonic-macsec/sonic-macsec:MACSEC_PROFILE/sonic-macsec:MACSEC_PROFILE_LIST/sonic-macsec:name" of value "macsec-profile" points to a non-existing leaf.

This issue is fixed by updating the testcases. It is passing now.

@arlakshm
Copy link
Contributor

@judyjoseph, LGTM. We will add tests for packet-chassis in another PR ?

qiluo-msft
qiluo-msft reviewed Jun 21, 2022
View reviewed changes
src/sonic-config-engine/minigraph.py Outdated
return linkmetas

def parse_macsec_profile(val_string):
macsec_profile = {}
values = val_string.strip().split(' ')
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

val_string

The parsing logic is too strict and not easy to read/extend. Could you explore libraries like https://docs.python.org/3/library/configparser.html?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Qi I am finding this config parser library used when we have to read from an input file and while parsing it has restrictions like need to have [SECTION] header etc - which I feel is not applicable here.

I checked the following, and the current parsing should take care of them.

the macsec profile name cannot be with spaces
the profile will have PrimaryKey and FallbackKey.

@qiluo-msft qiluo-msft requested a review from ganglyu June 21, 2022 21:48
qiluo-msft
qiluo-msft reviewed Jun 21, 2022
View reviewed changes
src/sonic-config-engine/tests/common_utils.py Outdated
@@ -73,6 +73,9 @@ def validate(self, argument):
cmd += ' -p ' + args.port_config
if args.namespace is not None:
cmd += ' -n ' + args.namespace
if "-j " in argument:
Copy link
Collaborator

@qiluo-msft qiluo-msft Jun 21, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if "-j " in argument:

if "-j " in argument:

Could you check args? #Closed

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to use args itself.

qiluo-msft
qiluo-msft reviewed Jun 21, 2022
View reviewed changes
src/sonic-config-engine/tests/common_utils.py Outdated
@@ -73,6 +73,9 @@ def validate(self, argument):
cmd += ' -p ' + args.port_config
if args.namespace is not None:
cmd += ' -n ' + args.namespace
if "-j " in argument:
strs = argument.split(' ')
cmd += " -j {}".format(next(strs[i+1] for i in range(len(strs)) if strs[i]=='-j'))
Copy link
Collaborator

@qiluo-msft qiluo-msft Jun 21, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

{}

cmd += " -j {}".format(next(strs[i+1] for i in range(len(strs)) if strs[i]=='-j'))

Could you use args.json? #Closed

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to use args itself.

@judyjoseph
Copy link
Contributor Author

@judyjoseph, LGTM. We will add tests for packet-chassis in another PR ?

yes, I will raise a separate PR for packet-chassis as the sample xml/portconfig.ini needs to be modified a bit which I will confirm, thanks.

@judyjoseph judyjoseph merged commit 05f1c6f into sonic-net:master Jun 29, 2022
yxieca pushed a commit that referenced this pull request Jun 30, 2022
@judyjoseph @yxieca
[macsec] Parse masec_enabled and macsec_profile from minigraph (#10917)
37c9b27 
* Updates needed to parse the macsec config from minigraph
* Add unit tests in tests/test_cfggen.py::TestCfgGen, and updates
@judyjoseph judyjoseph deleted the macsec_config branch July 1, 2022 19:10
skbarista pushed a commit to skbarista/sonic-buildimage that referenced this pull request Aug 17, 2022
@judyjoseph @skbarista
[macsec] Parse masec_enabled and macsec_profile from minigraph (sonic…
e4784be 
…-net#10917)

* Updates needed to parse the macsec config from minigraph
* Add unit tests in tests/test_cfggen.py::TestCfgGen, and updates
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@qiluo-msft qiluo-msft qiluo-msft left review comments

@ganglyu ganglyu ganglyu approved these changes

@arlakshm arlakshm arlakshm approved these changes

@lguohan lguohan Awaiting requested review from lguohan

@Pterosaur Pterosaur Awaiting requested review from Pterosaur

Assignees
No one assigned
Labels
Included in 202205 Branch Request for 202205 Branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@judyjoseph @arlakshm @qiluo-msft @ganglyu @yxieca