From 2d108ee33e69743f49f68f302a01c0c905d0beec Mon Sep 17 00:00:00 2001 From: Taoyu Li Date: Fri, 24 Mar 2017 02:02:20 +0000 Subject: [PATCH 1/2] [config/acl] Get ACL config from DHCP and load it in swss container --- dockers/docker-orchagent/start.sh | 12 +++++++++ files/dhcp/dhclient.conf | 3 ++- files/dhcp/graphserviceurl | 3 +++ files/image_config/updategraph/updategraph | 30 ++++++++++++++++++++++ src/sonic-config-engine/translate_acl | 4 +-- 5 files changed, 49 insertions(+), 3 deletions(-) diff --git a/dockers/docker-orchagent/start.sh b/dockers/docker-orchagent/start.sh index 6e05782b3d75..4a9b3c00cd1a 100755 --- a/dockers/docker-orchagent/start.sh +++ b/dockers/docker-orchagent/start.sh @@ -12,6 +12,17 @@ function start_app { done } +function config_acl { + if [ -f "/etc/sonic/acl.json" ]; then + mkdir -p /etc/swss/config.d/acl + rm -rf /etc/swss/config.d/acl/* + translate_acl -m /etc/sonic/minigraph.xml -o /etc/swss/config.d/acl /etc/sonic/acl.json + for filename in /etc/swss/config.d/acl/*.json; do + swssconfig $filename + done + fi +} + function clean_up { pkill -9 orchagent pkill -9 portsyncd @@ -60,6 +71,7 @@ while true; do result=`echo -en "SELECT 1\nHLEN HIDDEN" | redis-cli | sed -n 2p` if [ "$result" != "0" ]; then start_app + config_acl read fi sleep 1 diff --git a/files/dhcp/dhclient.conf b/files/dhcp/dhclient.conf index ce4ac4d9f445..4a8bb037cd68 100644 --- a/files/dhcp/dhclient.conf +++ b/files/dhcp/dhclient.conf @@ -14,11 +14,12 @@ option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; option snmp-community code 224 = text; option minigraph-url code 225 = text; +option acl-url code 226 = text; send host-name = gethostname(); request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, domain-search, host-name, dhcp6.name-servers, dhcp6.domain-search, netbios-name-servers, netbios-scope, interface-mtu, - rfc3442-classless-static-routes, ntp-servers, snmp-community, minigraph-url; + rfc3442-classless-static-routes, ntp-servers, snmp-community, minigraph-url, acl-url; diff --git a/files/dhcp/graphserviceurl b/files/dhcp/graphserviceurl index 0e8b1b83e141..f255cdff9877 100644 --- a/files/dhcp/graphserviceurl +++ b/files/dhcp/graphserviceurl @@ -5,5 +5,8 @@ case $reason in else echo "N/A" > /tmp/dhcp_graph_url fi + if [ -n "$new_acl_url" ]; then + echo $new_acl_url > /tmp/dhcp_acl_url + fi ;; esac diff --git a/files/image_config/updategraph/updategraph b/files/image_config/updategraph/updategraph index 68fbe6eb9c19..0d3b248bc436 100755 --- a/files/image_config/updategraph/updategraph +++ b/files/image_config/updategraph/updategraph @@ -12,6 +12,8 @@ if [ "$enabled" != "true" ]; then exit 0 fi +ACL_URL=$acl_src + if [ "$src" = "dhcp" ]; then while [ ! -f /tmp/dhcp_graph_url ]; do echo "Waiting for DHCP response..." @@ -38,6 +40,18 @@ if [ "$src" = "dhcp" ]; then sed -i "/src=/d" /etc/sonic/updategraph.conf echo "src=\"$GRAPH_URL\"" >> /etc/sonic/updategraph.conf fi + + if [ -f /tmp/dhcp_acl_url ]; then + ACL_URL=`sonic-cfggen -t /tmp/dhcp_acl_url -a "{\"hostname\": \"$HOSTNAME\"}"` + if [[ ! $ACL_URL =~ $URL_REGEX ]]; then + echo "\"$ACL_URL\" is not a valid url. Skipping acl update." + ACL_URL="" + fi + if [ "$dhcp_as_static" = "true" ]; then + sed -i "/acl_src=/d" /etc/sonic/updategraph.conf + echo "acl_src=\"$ACL_URL\"" >> /etc/sonic/updategraph.conf + fi + fi else GRAPH_URL=$src fi @@ -53,3 +67,19 @@ while true; do curl -f $GRAPH_URL -o /etc/sonic/minigraph.xml --connect-timeout 15 && break sleep 5 done + +if [ -n "$ACL_URL" ]; then + if [ -f /etc/sonic/acl.json ]; then + echo "Renaming acl.json to acl.json.old" + mv /etc/sonic/acl.json /etc/sonic/acl.json.old + fi + echo "Getting ACL config from $ACL_URL" + + while true; do + curl -f $ACL_URL -o /etc/sonic/acl.json --connect-timeout 15 && break + sleep 5 + done +else + echo "Skip ACL config download." +fi + diff --git a/src/sonic-config-engine/translate_acl b/src/sonic-config-engine/translate_acl index f706fe1f52e4..2c4410615d6e 100755 --- a/src/sonic-config-engine/translate_acl +++ b/src/sonic-config-engine/translate_acl @@ -129,7 +129,6 @@ def translate_acl_fixed_port(filename, output_path, port, max_priority): def translate_acl(filename, output_path, attach_to, max_priority): yang_acl = pybindJSON.load(filename, openconfig_acl, "openconfig_acl") - print attach_to.keys() for aclsetname in yang_acl.acl.acl_sets.acl_set: tablename = aclsetname.replace(" ", "_").replace("-", "_") if attach_to.has_key(tablename): @@ -151,7 +150,8 @@ def main(): translate_acl_fixed_port(args.input, args.output_path, args.port, args.max_priority) elif args.minigraph: mini_data = parse_xml(args.minigraph) - translate_acl(args.input, args.output_path, mini_data['minigraph_acls'], args.max_priority) + if mini_data['minigraph_acls']: + translate_acl(args.input, args.output_path, mini_data['minigraph_acls'], args.max_priority) if __name__ == "__main__": main() From 6a84f05e769c9610e1a95f0b537dbcb49168dc65 Mon Sep 17 00:00:00 2001 From: Taoyu Li Date: Fri, 24 Mar 2017 21:04:11 +0000 Subject: [PATCH 2/2] Fix the case when there is no acl jsons --- dockers/docker-orchagent/start.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dockers/docker-orchagent/start.sh b/dockers/docker-orchagent/start.sh index 4a9b3c00cd1a..689b70fade4d 100755 --- a/dockers/docker-orchagent/start.sh +++ b/dockers/docker-orchagent/start.sh @@ -18,6 +18,7 @@ function config_acl { rm -rf /etc/swss/config.d/acl/* translate_acl -m /etc/sonic/minigraph.xml -o /etc/swss/config.d/acl /etc/sonic/acl.json for filename in /etc/swss/config.d/acl/*.json; do + [ -e "$filename" ] || break swssconfig $filename done fi