Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[config/acl] Get ACL config from DHCP and load it in swss container #432

Merged
merged 2 commits into from
Mar 29, 2017
Merged

[config/acl] Get ACL config from DHCP and load it in swss container #432

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2d108ee
[config/acl] Get ACL config from DHCP and load it in swss container
taoyl-ms Mar 24, 2017
6a84f05
Fix the case when there is no acl jsons
taoyl-ms Mar 24, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions dockers/docker-orchagent/start.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,18 @@ function start_app {
done
}

function config_acl {
if [ -f "/etc/sonic/acl.json" ]; then
mkdir -p /etc/swss/config.d/acl
rm -rf /etc/swss/config.d/acl/*
Copy link
Contributor

@stcheng stcheng Mar 24, 2017
edited by taoyl-ms
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i would prefer to have the acl configuration generation part to be there in config.sh script. we could keep the intermediate acl json files stored here. it doesn't hurt and could be used as references.

as a separate suggestion that we could do it later, i think we could just put the configurations that we need into the config.d folder, copying them from /usr/share/sonic/... folder. in sonic-swss repository, we only have samples there. #Closed

Copy link
Contributor Author

@taoyl-ms taoyl-ms Mar 24, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We currently don't have a config.sh for swss docker and I don't see much necessity to add one just for acl. We can split start.sh to config.sh and start.sh later if we added more feature and configuration logic became more complicated. #Closed

Copy link
Contributor

@stcheng stcheng Mar 24, 2017
edited by taoyl-ms
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree. #Closed

translate_acl -m /etc/sonic/minigraph.xml -o /etc/swss/config.d/acl /etc/sonic/acl.json
for filename in /etc/swss/config.d/acl/*.json; do
[ -e "$filename" ] || break
Copy link
Collaborator

@lguohan lguohan Mar 27, 2017
edited by taoyl-ms
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we need this line? #ByDesign

Copy link
Contributor Author

@taoyl-ms taoyl-ms Mar 27, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If there is no file in /etc/swss/config.d/acl/, items in for loop with be executed once with filename equals to '/etc/swss/config.d/acl/*'. And it will lead to error in swssconfig. #ByDesign

swssconfig $filename
done
fi
}

function clean_up {
pkill -9 orchagent
pkill -9 portsyncd
Expand Down Expand Up @@ -60,6 +72,7 @@ while true; do
result=`echo -en "SELECT 1\nHLEN HIDDEN" | redis-cli | sed -n 2p`
if [ "$result" != "0" ]; then
start_app
config_acl
read
fi
sleep 1
Expand Down
3 changes: 2 additions & 1 deletion files/dhcp/dhclient.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,12 @@
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
option snmp-community code 224 = text;
option minigraph-url code 225 = text;
option acl-url code 226 = text;
Copy link
Collaborator

@lguohan lguohan Mar 27, 2017
edited by taoyl-ms
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you update the doc https://github.com/Azure/SONiC/wiki/Configuration-and-Minigraph accordingly #Resolved

Copy link
Contributor Author

@taoyl-ms taoyl-ms Mar 27, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated. #Resolved


send host-name = gethostname();
request subnet-mask, broadcast-address, time-offset, routers,
domain-name, domain-name-servers, domain-search, host-name,
dhcp6.name-servers, dhcp6.domain-search,
netbios-name-servers, netbios-scope, interface-mtu,
rfc3442-classless-static-routes, ntp-servers, snmp-community, minigraph-url;
rfc3442-classless-static-routes, ntp-servers, snmp-community, minigraph-url, acl-url;

3 changes: 3 additions & 0 deletions files/dhcp/graphserviceurl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,8 @@ case $reason in
else
echo "N/A" > /tmp/dhcp_graph_url
fi
if [ -n "$new_acl_url" ]; then
echo $new_acl_url > /tmp/dhcp_acl_url
fi
;;
esac
30 changes: 30 additions & 0 deletions files/image_config/updategraph/updategraph
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ if [ "$enabled" != "true" ]; then
exit 0
fi

ACL_URL=$acl_src

if [ "$src" = "dhcp" ]; then
while [ ! -f /tmp/dhcp_graph_url ]; do
echo "Waiting for DHCP response..."
Expand All @@ -38,6 +40,18 @@ if [ "$src" = "dhcp" ]; then
sed -i "/src=/d" /etc/sonic/updategraph.conf
echo "src=\"$GRAPH_URL\"" >> /etc/sonic/updategraph.conf
fi

if [ -f /tmp/dhcp_acl_url ]; then
ACL_URL=`sonic-cfggen -t /tmp/dhcp_acl_url -a "{\"hostname\": \"$HOSTNAME\"}"`
if [[ ! $ACL_URL =~ $URL_REGEX ]]; then
echo "\"$ACL_URL\" is not a valid url. Skipping acl update."
ACL_URL=""
fi
if [ "$dhcp_as_static" = "true" ]; then
sed -i "/acl_src=/d" /etc/sonic/updategraph.conf
echo "acl_src=\"$ACL_URL\"" >> /etc/sonic/updategraph.conf
fi
fi
else
GRAPH_URL=$src
fi
Expand All @@ -53,3 +67,19 @@ while true; do
curl -f $GRAPH_URL -o /etc/sonic/minigraph.xml --connect-timeout 15 && break
sleep 5
done

if [ -n "$ACL_URL" ]; then
if [ -f /etc/sonic/acl.json ]; then
echo "Renaming acl.json to acl.json.old"
mv /etc/sonic/acl.json /etc/sonic/acl.json.old
fi
echo "Getting ACL config from $ACL_URL"

while true; do
curl -f $ACL_URL -o /etc/sonic/acl.json --connect-timeout 15 && break
sleep 5
done
else
echo "Skip ACL config download."
fi

4 changes: 2 additions & 2 deletions src/sonic-config-engine/translate_acl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,6 @@ def translate_acl_fixed_port(filename, output_path, port, max_priority):

def translate_acl(filename, output_path, attach_to, max_priority):
yang_acl = pybindJSON.load(filename, openconfig_acl, "openconfig_acl")
print attach_to.keys()
for aclsetname in yang_acl.acl.acl_sets.acl_set:
tablename = aclsetname.replace(" ", "_").replace("-", "_")
if attach_to.has_key(tablename):
Expand All @@ -151,7 +150,8 @@ def main():
translate_acl_fixed_port(args.input, args.output_path, args.port, args.max_priority)
elif args.minigraph:
mini_data = parse_xml(args.minigraph)
translate_acl(args.input, args.output_path, mini_data['minigraph_acls'], args.max_priority)
if mini_data['minigraph_acls']:
translate_acl(args.input, args.output_path, mini_data['minigraph_acls'], args.max_priority)

if __name__ == "__main__":
main()