Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MACsec]: Set MACsec feature to be auto-start #6678

Merged
merged 4 commits into from
Feb 23, 2021
Merged

[MACsec]: Set MACsec feature to be auto-start #6678

merged 4 commits into from
Feb 23, 2021

Conversation

Pterosaur
Copy link
Contributor

@Pterosaur Pterosaur commented Feb 4, 2021
edited
Loading

Signed-off-by: Ze Gan ganze718@gmail.com

- Why I did it
I want the MACsec feature can be automatically enabled.

- How I did it

  1. Add supervisord as the entrypoint of docker-macsec
  2. Add wpa_supplicant conf into docker-macsec
  3. Set the macsecmgrd as the critical_process
  4. Configure supervisor to monitor macsecmgrd
  5. Set macsec in the features list
  6. Add config variable INCLUDE_MACSEC
  7. Add macsec.service

- How to verify it
Change the /etc/sonic/config_db.json as follow

{
    "PORT": {
        "Ethernet0": {
            ...
            "macsec": "test"
         }
    }
    ...
    "MACSEC_PROFILE": {
        "test": {
            "priority": 64,
            "cipher_suite": "GCM-AES-128",
            "primary_cak": "0123456789ABCDEF0123456789ABCDEF",
            "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
            "policy": "security"
        }
    }
}

To execute sudo config reload -y, We should find the following new items were inserted in app_db of redis

127.0.0.1:6379> keys *MAC*
1) "MACSEC_EGRESS_SC_TABLE:Ethernet0:72152375678227538"
2) "MACSEC_PORT_TABLE:Ethernet0"
127.0.0.1:6379> hgetall "MACSEC_EGRESS_SC_TABLE:Ethernet0:72152375678227538"
1) "ssci"
2) ""
3) "encoding_an"
4) "0"
127.0.0.1:6379> hgetall "MACSEC_PORT_TABLE:Ethernet0"
 1) "enable"
 2) "false"
 3) "cipher_suite"
 4) "GCM-AES-128"
 5) "enable_protect"
 6) "true"
 7) "enable_encrypt"
 8) "true"
 9) "enable_replay_protect"
10) "false"
11) "replay_window"
12) "0"

- Description for the changelog

Set MACsec feature can auto start

- A picture of a cute animal (not mandatory but encouraged)
🐉

This PR depends on: sonic-net/sonic-swss#1627

@Pterosaur Pterosaur force-pushed the macsec_start branch 2 times, most recently from 43c84c2 to fd5f4b7 Compare February 4, 2021 09:55
@Pterosaur Pterosaur mentioned this pull request Feb 8, 2021
Merged
@Pterosaur
Set MACsec to be auto-start
d3ba5bb 
Signed-off-by: Ze Gan <ganze718@gmail.com>
@Pterosaur Pterosaur marked this pull request as ready for review February 8, 2021 06:41
@Pterosaur
Update sonic-utility submodule to support macsec config reload
7456a74 
Signed-off-by: Ze Gan <ganze718@gmail.com>
lguohan
lguohan previously approved these changes Feb 19, 2021
View reviewed changes
lguohan
lguohan reviewed Feb 19, 2021
View reviewed changes
files/build_templates/init_cfg.json.j2 Outdated
@@ -34,6 +34,7 @@
{%- if include_nat == "y" %}{% do features.append(("nat", "disabled", false, "enabled")) %}{% endif %}
{%- if include_restapi == "y" %}{% do features.append(("restapi", "enabled", false, "enabled")) %}{% endif %}
{%- if include_sflow == "y" %}{% do features.append(("sflow", "disabled", false, "enabled")) %}{% endif %}
{%- if include_macsec == "y" %}{% do features.append(("macsec", "enabled", false, "enabled")) %}{% endif %}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mark it as disable by default

@Pterosaur
Make MACsec feature is disabled by default
082ea18 
Signed-off-by: Ze Gan <ganze718@gmail.com>
@lguohan lguohan merged commit 4068944 into sonic-net:master Feb 23, 2021
@Pterosaur Pterosaur deleted the macsec_start branch February 24, 2021 02:14
carl-nokia pushed a commit to carl-nokia/sonic-buildimage that referenced this pull request Aug 7, 2021
@Pterosaur
[MACsec]: Set MACsec feature to be auto-start (sonic-net#6678)
dc720f4 
1. Add supervisord as the entrypoint of docker-macsec
2. Add wpa_supplicant conf into docker-macsec
3. Set the macsecmgrd as the critical_process
4. Configure supervisor to monitor macsecmgrd
5. Set macsec in the features list
6. Add config variable `INCLUDE_MACSEC`
7. Add macsec.service

**- How to verify it**

Change the `/etc/sonic/config_db.json` as follow
```
{
    "PORT": {
        "Ethernet0": {
            ...
            "macsec": "test"
         }
    }
    ...
    "MACSEC_PROFILE": {
        "test": {
            "priority": 64,
            "cipher_suite": "GCM-AES-128",
            "primary_cak": "0123456789ABCDEF0123456789ABCDEF",
            "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
            "policy": "security"
        }
    }
}
```
To execute `sudo config reload -y`, We should find the following new items were inserted in app_db of redis
```
127.0.0.1:6379> keys *MAC*
1) "MACSEC_EGRESS_SC_TABLE:Ethernet0:72152375678227538"
2) "MACSEC_PORT_TABLE:Ethernet0"
127.0.0.1:6379> hgetall "MACSEC_EGRESS_SC_TABLE:Ethernet0:72152375678227538"
1) "ssci"
2) ""
3) "encoding_an"
4) "0"
127.0.0.1:6379> hgetall "MACSEC_PORT_TABLE:Ethernet0"
 1) "enable"
 2) "false"
 3) "cipher_suite"
 4) "GCM-AES-128"
 5) "enable_protect"
 6) "true"
 7) "enable_encrypt"
 8) "true"
 9) "enable_replay_protect"
10) "false"
11) "replay_window"
12) "0"
```

Signed-off-by: Ze Gan <ganze718@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lguohan lguohan lguohan approved these changes

@qiluo-msft qiluo-msft Awaiting requested review from qiluo-msft qiluo-msft is a code owner

@xumia xumia Awaiting requested review from xumia xumia is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Pterosaur @lguohan