sonic-net · rodnymolina · Oct 25, 2017
@@ -177,6 +177,11 @@ sudo LANG=C chroot $FILESYSTEM_ROOT useradd -G sudo,docker $USERNAME -c "$DEFAUL
 ## Create password for the default user
 echo "$USERNAME:$PASSWORD" | sudo LANG=C chroot $FILESYSTEM_ROOT chpasswd
 
+## Create special 'sonic' user -- refer to rules/config for details.
+sudo LANG=C chroot $FILESYSTEM_ROOT groupadd -g $SONIC_USER_GID sonic
+sudo LANG=C chroot $FILESYSTEM_ROOT useradd -u $SONIC_USER_UID \
+     -g $SONIC_USER_GID -M -s /bin/false sonic
+
 ## Pre-install hardware drivers
 sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install      \
     firmware-linux-nonfree

@@ -31,10 +31,8 @@ RUN apt-get autoremove -y
 RUN rm -rf /debs ~/.cache
 
 COPY ["*.j2", "/usr/share/sonic/templates/"]
-COPY ["start.sh", "config.sh", "/usr/bin/"]
+COPY ["start.sh", "/usr/bin/"]
 COPY ["daemons", "/etc/frr/"]
 COPY ["debian.conf", "/etc/frr/"]
 
-ENTRYPOINT /usr/bin/config.sh   \
-        && /usr/bin/start.sh    \
-        && /bin/bash
+ENTRYPOINT /usr/bin/start.sh && /bin/bash
@@ -86,6 +86,9 @@ start() {
         -v /usr/share/sonic/device/$PLATFORM:/usr/share/sonic/platform:ro \
 {%- if docker_container_name != "database" %}
         -v /usr/share/sonic/device/$PLATFORM/$HWSKU:/usr/share/sonic/hwsku:ro \
+{%- endif %}
+{%- if docker_image_name == "docker-fpm-frr" %}
+        -v /etc/sonic/frr:/etc/frr:rw \
 {%- endif %}
         --tmpfs /tmp \
         --tmpfs /var/tmp \

@@ -319,3 +319,18 @@ sudo cp target/files/$MLNX_FW_FILE $FILESYSTEM_ROOT/etc/mlnx/fw-SPC.mfa
 j2 platform/mellanox/mlnx-fw-upgrade.j2 | sudo tee $FILESYSTEM_ROOT/usr/bin/mlnx-fw-upgrade.sh
 sudo chmod 755 $FILESYSTEM_ROOT/usr/bin/mlnx-fw-upgrade.sh
 {% endif %}
+
+## If FRR is elected as the routing-stack, its corresponding configuration file
+## will be exposed to the host's file-system. With that goal in mind, here we are
+## creating a dummy/empty config-file to serve as a placeholder for FRR's full
+## configuration.
+{%- if SONIC_ROUTING_STACK == "frr" %}
+sudo mkdir $FILESYSTEM_ROOT/etc/sonic/frr
+sudo touch $FILESYSTEM_ROOT/etc/sonic/frr/frr.conf
+sudo touch $FILESYSTEM_ROOT/etc/sonic/frr/vtysh.conf
+sudo cp dockers/docker-fpm-frr/debian.conf $FILESYSTEM_ROOT/etc/sonic/frr/
+sudo cp dockers/docker-fpm-frr/daemons $FILESYSTEM_ROOT/etc/sonic/frr/
+sudo chown -R $SONIC_USER_UID:$SONIC_USER_GID $FILESYSTEM_ROOT/etc/sonic/frr
+sudo chmod 750 $FILESYSTEM_ROOT/etc/sonic/frr
+sudo chmod -R 640 $FILESYSTEM_ROOT/etc/sonic/frr/
+{%- endif %}
@@ -71,3 +71,15 @@ ENABLE_ORGANIZATION_EXTENSIONS = y
 #   build:    build kernel from source
 #   download: download pre-built kernel from Azure storage.
 DEFAULT_KERNEL_PROCURE_METHOD = build
+
+# SONIC_USER_UID/GID - A special user ('sonic') will be always created during
+# image compilation. This special user will be in charged of running SONiC's
+# critical applications, provided that these applications are willing to run
+# with non-root privileges -- which should be encouraged.  This user will have
+# no login capabilities and will be created across all the execution contexts
+# of the system: both docker containers and host. As we want this user to have
+# the same privileges across all different contexts, we must rely on a unique
+# 'uid:gid' pair to identify him in the system. In consequence, explicit
+# uid:gid values must be provided at build time.
+SONIC_USER_UID = 888
+SONIC_USER_GID = 888
@@ -134,6 +134,15 @@ $(info "SONIC_PROFILING_ON"              : "$(SONIC_PROFILING_ON)")
 $(info "KERNEL_PROCURE_METHOD"           : "$(KERNEL_PROCURE_METHOD)")
 $(info )
 
+# Exporting ROUTING_STACK as an env-var to allow build-infra to conditionaly compile
+# routing stack dependent components.
+export SONIC_ROUTING_STACK
+
+# Exporting SONIC_USER_UID/GID values.
+export SONIC_USER_UID
+export SONIC_USER_GID
+
+
 ###############################################################################
 ## Generic rules section
 ## All rules must go after includes for propper targets expansion

@@ -5,10 +5,25 @@ SHELL = /bin/bash
 MAIN_TARGET = frr_$(FRR_VERSION)_amd64.deb
 
 $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
-        # Replacing frr's rules/install files with SONiC's own versions to activate
-        # specific knobs and adjust install process to address SONiC's needs.
-	cp sonic_frr.rules frr/debian/rules
-	cp sonic_frr.install frr/debian/frr.install
+
+    # UID/GID env-vars must be explicitly passed to installation scripts to
+    # allow subsequent 'dpkg -i' process to make use of this variable.
+	if ! grep -q "^SONIC_USER_UID=" sonic_frr.preinst; then
+		sed -e"/^set -u/a SONIC_USER_GID=${SONIC_USER_GID}" \
+		    -e"/^set -u/a SONIC_USER_UID=${SONIC_USER_UID}" \
+		    sonic_frr.preinst > tmp_file && \
+		mv tmp_file sonic_frr.preinst
+	fi
+
+	pushd ./frr
+
+    # Replacing frr's rules/install/service files with SONiC's own versions
+    # to activate specific knobs and adjust install process to SONiC needs.
+	cp ../sonic_frr.rules debian/rules
+	cp ../sonic_frr.install debian/frr.install
+	cp ../sonic_frr.preinst debian/frr.preinst
+	cp ../sonic_frr.postinst debian/frr.postinst
+	cp ../sonic_frr.init.d.frr tools/frr
 
         # Build the package
 	pushd ./frr