* [Security] Fix the krb5 vulnerability issue (#17914)
### Why I did it
Fix the krb5 vulnerable issue
CVE-2021-36222 allows remote attackers to cause a NULL pointer dereference and daemon crash
CVE-2021-37750 NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field
DSA 5286-1 remote code execution
##### Work item tracking
- Microsoft ADO **(number only)**: 26577929
#### How I did it
Upgrade the krb5 version to 1.18.3-6+deb11u14+fips.
* [Build] Fix krb5 package not found issue (#17926)
Why I did it
Fix the build issue caused by the wrong version specified.
See the build error logs:
Try 4: /usr/bin/wget --retry-connrefused failed to get: -O
--2024-01-26 11:38:23-- https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.10/amd64/libk5crypto3_1.18.3-6+deb11u14+fips_amd64.deb
Resolving sonicstorage.blob.core.windows.net (sonicstorage.blob.core.windows.net)... 20.60.59.131
Connecting to sonicstorage.blob.core.windows.net (sonicstorage.blob.core.windows.net)|20.60.59.131|:443... connected.
HTTP request sent, awaiting response... 404 The specified blob does not exist.
2024-01-26 11:38:23 ERROR 404: The specified blob does not exist..
Try 5: /usr/bin/wget --retry-connrefused failed to get: -O
make[1]: *** [Makefile:12: /sonic/target/debs/bullseye/symcrypt-openssl_0.10_amd64.deb] Error 8
make[1]: Leaving directory '/sonic/src/sonic-fips'
Work item tracking
Microsoft ADO (number only): 26577929
The package not installed but PR passed issue is traced in another issue #17927
How I did it
Add the libkrb5-dev and the depended packages to fix docker-sonic-vs build failure.
The package libzmq3-dev has dependency on the libkrb5-dev.
* [202305] Support FIPS for armhf
* Remove no use mirror
* Fix fips options issue
Why I did it
Reverting DHCP counter changes due to unexpected packet drops seen in recv buffer, causing counter counts to be inaccurate in dhcpmon and affecting dhcp6relay performance
Work item tracking
Microsoft ADO (number only): 26918588
How I did it
Reset submodule head and revert related dockerfile changes
How to verify it
Ran mgmt test and stress test
Fix#16204
Microsoft ADO (number only): 25746782
How I did it
multiarch/debian-debootstrap:arm64-bullseye is too old.
It needs to add some gpg keys before 'apt-get update'
### Why I did it
The json.hpp header file from that package is used in the sonic-swss-common build. An old version of that header file (from 2016) has been checked into the sonic-swss-common repo. However, since then, there have been changes to that header file, and starting with GCC 12 in Bookworm, generates some errors about variables being possibly uninitialized before use.
##### Work item tracking
- Microsoft ADO **(number only)**: 25027439
#### How I did it
To fix this, install the nlohmann-json3-dev package, and allow using the header file from the Debian package instead of a static checked-in version. The version in Debian Bullseye is much newer than this version.
#### How to verify it
With this change alone, sonic-swss-common will still be using the json.hpp file in its own codebase. The change to actually use the system header file instead of the local header file will happen in a separate PR in the necessary repoes.
Co-authored-by: Saikrishna Arcot <sarcot@microsoft.com>
Why I did it
Support DHCP/DHCPv6 per-interface counter, code change in sonic-build image.
Work item tracking
Microsoft ADO (17271822):
How I did it
- Introduce libjsoncpp-dev in dhcpmon and dhcprelay repo
- Show CLI changes after counter format change
How to verify it
- Manually run show command
- dhcpmon, dhcprelay integration tests
It appears that this was initially added to provide the git-retry
command (which doesn't appear to be used today). However, this repo is
now also providing bazel (which is actually used in our build today),
and this command (along with git-retry) expects some vpython3 binary to
be set up/installed.
Rather than going through that, just get rid of this repo.
Why I did it
Fix the armhf build failure.
How to reproduce the issue:
docker run -it debain:bullseye bash
apt-get update && apt-get install -y python3-pip
pip3 install PyYAML==5.4.1
Error message:
Collecting PyYAML==5.4.1
Downloading PyYAML-5.4.1.tar.gz (175 kB)
|████████████████████████████████| 175 kB 12.3 MB/s
Installing build dependencies ... done
Getting requirements to build wheel ... error
ERROR: Command errored out with exit status 1:
command: /usr/bin/python3 /tmp/tmp6xabslgb_in_process.py get_requires_for_build_wheel /tmp/tmp_er01ztl
....
raise AttributeError(attr)
AttributeError: cython_sources
----------------------------------------
WARNING: Discarding d63f2d75975bd331af8d4ab1ed687d/PyYAML-5.4.1.tar.gz#sha256=607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e (from https://pypi.org/simple/pyyaml/) (requires-python:>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*). Command errored out with exit status 1: /usr/bin/python3 /tmp/tmp6xabslgb_in_process.py get_requires_for_build_wheel /tmp/tmp_er01ztl Check the logs for full command output.
ERROR: Could not find a version that satisfies the requirement PyYAML==5.4.1
ERROR: No matching distribution found for PyYAML==5.4.1
root@fa2fa92edcfd:/#
But if adding the option --no-build-isolation, then it is good, see fix.
install "PyYAML==5.4.1" --no-build-isolation
The same error can be found in the multiple builds.
Work item tracking
Microsoft ADO (number only): 24567457
How I did it
Add a build option --no-build-isolation.
Disable isolation when building a modern source distribution. Build dependencies specified by PEP 518 must be already installed if this option is used.
How to verify it
- run pre-commit tox profile to trim all trailing blanks
- use several commits with a per-folder based strategy
to ease their merge
Issue #15114
Signed-off-by: Guillaume Lambert <guillaume.lambert@orange.com>
- Why I did it
Mellanox syncd container will be based on Debian iproute2 plus patches instead of Nvidia internal version of iproute2
- How I did it
Download iproute2 from Debian repository, apply patches and compile to create a new target.
The target is then deployed in syncd container of Mellanox switches only.
The new target is called IPROUTE2_MLNX.
- How to verify it
Compile and load on switch, verify interfaces network devices created successfully.
Verify LLDP shows connections to neighbors.
Verify ping between 2 hosts over 2 router ports is successful.
Why I did it
Fix some of vulnerability issue relative python packages #14269
Pillow: [CVE-2021-27921]
Wheel: [CVE-2022-40898]
lxml: [CVE-2022-2309]
How I did it
* Upgrade docker-sonic-vs and docker-syncd-vs to Bullseye
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
* iproute2: Force a new version and timestamp to be used for the package
There is an issue with Docker's overlay2 storage driver when not using
native diffs (and thus falling back to naive diff mode), which is the
case in the CI builds. The way the naive diff mode detects changes is by
comparing the file size and comparing the timestamps (specifically, I
believe it's the modification timestamp), and if there's a change there,
then it's considered a change that needs to be recorded as part of that
layer.
The problem is that with the code being added in the patch, the file
size remains the same, and the timestamp of binary files appear to be
the same timestamp as the changelog entry (likely for reproducible build
purposes). The file size remains the same likely due to extra padding
within the file introduced by relro. Because of this, Docker doesn't
detect this file has changed, and doesn't save the new file as part of
this layer.
To work around this, create a new changelog entry (with a new version as
well) with a new timestamp. This will result in the binary files having
a different timestamp, and thus will get saved by Docker as part of that
layer.
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
---------
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
Why I did it
It's possible to speed up some parts of a build using parallel compression/decompression.
This is especially important for build_debian.sh.
How I did it
pigz is a parallel implementation of gzip: https://zlib.net/pigz/
Some programs like docker and mkinitramfs can automatically detect and use it instead of gzip.
For tar we need to select it directly.
To enable this feature you need to set GZ_COMPRESS_PROGRAM=pigz
Why I did it
There were some changes in apt source code in version 2.1.9.
As a result apt used in bullseye (2.2.4) is intolerant to network issues.
This was fixed in 10631550f1 Already fixed version is used in bookworm (2.5.4)
And not yet affected version is used in buster (1.8.2.3)
How I did it
Set Acquire::Retries to 3 for sonic-slave-bullseye, docker-base-bullseye and final Debian image.
Ref: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1876035
Signed-off-by: Konstantin Vasin k.vasin@yadro.com
Why I did it
Unify the Debian mirror sources
Make easy to upgrade to the next Debian release, not source url code change required.
Support to customize the Debian mirror sources during the build
Relative issue: #12523
Signed-off-by: maipbui <maibui@microsoft.com>
#### Why I did it
When updating the container from Buster to Bullseye in azure pipelines in sonic-utilities repo, the build checker failed due to missing one of the dependencies in libswsscommon
```
+ sudo dpkg -i libswsscommon_1.0.0_amd64.deb
Selecting previously unselected package libswsscommon.
(Reading database ... 196324 files and directories currently installed.)
Preparing to unpack libswsscommon_1.0.0_amd64.deb ...
Unpacking libswsscommon (1.0.0) ...
dpkg: dependency problems prevent configuration of libswsscommon:
libswsscommon depends on libboost-serialization1.71.0; however:
Package libboost-serialization1.71.0 is not installed.
dpkg: error processing package libswsscommon (--install):
dependency problems - leaving unconfigured
Processing triggers for libc-bin (2.31-13+deb11u4) ...
Errors were encountered while processing:
libswsscommon
```
#### How I did it
Update the libboost-serialization dependency to a specific version that >= 1.71
#### How to verify it
Verified locally, build sonic-utilities successfully with this version
- Why I did it
To support saithriftv2 build for bullseye dockers
- How I did it
Added the dependencies documented in the SAI docs and used in sonic-slave-buster
- How to verify it
Build saithriftv2 in the sonic-slave-bullseye
Signed-off-by: Yakiv Huryk <yhuryk@nvidia.com>
Why I did it
Building docker-sonic-vs requires dependencies installed in sonic-slave-buster
How I did it
Add libs to sonic-slave-buster and sonic-slave-bullseye
How to verify it
Check files
* Ported Marvell armhf build on x86 for debian buster to use cross-compilation instead of qemu emulation
Current armhf Sonic build on amd64 host uses qemu emulation. Due to the
nature of the emulation it takes a very long time, about 22-24 hours to
complete the build. The change I did to reduce the building time by
porting Sonic armhf build on amd64 host for Marvell platform for debian
buster to use cross-compilation on arm64 host for armhf target. The
overall Sonic armhf building time using cross-compilation reduced to
about 6 hours.
Signed-off-by: marvell <marvell@cpss-build3.marvell.com>
* Fixed final Sonic image build with dockers inside
* Update Dockerfile.j2
Fixed qemu-user-static:x86_64-aarch64-5.0.0-2 .
* Update cross-build-arm-python-reqirements.sh
Added support for both armhf and arm64 cross-build platform using $PY_PLAT environment variable.
* Update Makefile
Added TARGET=<cross-target> for armhf/arm64 cross-compilation.
* Reviewer's @qiluo-msft requests done
Signed-off-by: marvell <marvell@cpss-build3.marvell.com>
* Added new radius/pam patch for arm64 support
* Update slave.mk
Added missing back tick.
* Added libgtest-dev: libgmock-dev: to the buster Dockerfile.j2. Fixed arm perl version to be generic
* Added missing armhf/arm64 entries in /etc/apt/sources.list
* fix libc-bin core dump issue from xumia:fix-libc-bin-install-issue commit
* Removed unnecessary 'apt-get update' from sonic-slave-buster/Dockerfile.j2
* Fixed saiarcot895 reviewer's requests
* Fixed README and replaced 'sed/awk' with patches
* Fixed ntp build to use openssl
* Unuse sonic-slave-buster/cross-build-arm-python-reqirements.sh script (put all prebuilt python packages cross-compilation/install inside Dockerfile.j2). Fixed src/snmpd/Makefile to use -j1 in all cases
* Clean armhf cross-compilation build fixes
* Ported cross-compilation armhf build to bullseye
* Additional change for bullseye
* Set CROSS_BUILD_ENVIRON default value n
* Removed python2 references
* Fixes after merge with the upstream
* Deleted unused sonic-slave-buster/cross-build-arm-python-reqirements.sh file
* Fixed 2 @saiarcot895 requests
* Fixed @saiarcot895 reviewer's requests
* Removed use of prebuilt python wheels
* Incorporated saiarcot895 CC/CXX and other simplification/generalization changes
Signed-off-by: marvell <marvell@cpss-build3.marvell.com>
* Fixed saiarcot895 reviewer's additional requests
* src/libyang/patch/debian-packaging-files.patch
* Removed --no-deps option when installing wheels. Removed unnecessary lazy_object_proxy arm python3 package instalation
Co-authored-by: marvell <marvell@cpss-build3.marvell.com>
Co-authored-by: marvell <marvell@cpss-build2.marvell.com>
The following packages have unmet dependencies:
libssl-dev : Depends: libssl1.1 (= 1.1.1n-0+deb11u3) but 1.1.1n-0+deb11u2 is to be installed
E: Unable to correct problems, you have held broken packages.
Fixes#9279
- Why I did it
Part of larger effort to move all SONiC systems to bullseye
- How I did it
1. Update container makefiles with correct dependencies
2. Update container Dockerfile with correct base image
3. Update container Dockerfile with correct apt dependencies
4. Update any other makefiles with dependencies to remove python2 support
5. Minor changes to support bullseye / python3
- How to verify it
Run regression on the switch:
1. Verify PTF community tests work
2. Verify syncd runs and all ports come up / pass traffic
3. Verify all platform tests succeed
* Upgrade docker version from 20.10.7 to 20.10.14, and pin containerd.io
Update the Docker engine version from 20.10.7 to 20.10.14. This brings
in some CVE and bug fixes.
Additionally, pin the version of containerd.io to a specific version,
mainly for consistency/reproducibility.
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
* Remove the containerd ordering change to docker.service
This appears to be already present in the current docker.service.
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
* Remove use of apt-key
apt-key is considered deprecated, and the current practice is to just
add the key into /etc/apt/trusted.gpg.d/.
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
* Upgrade docker container in Bullseye slave to 20.10.14
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
Why I did it
To sign SONiC kernel image and allow secure boot based system to verify SONiC image before loading into the system.
How I did it
Pass following parameter to rules/config.user
Ex:
SONIC_ENABLE_SECUREBOOT_SIGNATURE := y
SIGNING_KEY := /path/to/key/private.key
SIGNING_CERT := /path/to/public/public.cert
How to verify it
Secure boot enabled system enrolled with right public key of the, image in the platform UEFI database will able to verify image before load.
Alternatively one can verify with offline sbsign tool as below.
export SBSIGN_KEY=/abc/bcd/xyz/
sbverify --cert $SBSIGN_KEY/public_cert.cert fsroot-platform-XYZ/boot/vmlinuz-5.10.0-8-2-amd64 mage
O/P:
Signature verification OK
Why I did it
Add libgmock-dev to the package list required by linkmgrd unittests.
Required by PR: Azure/sonic-linkmgrd#45
How I did it
Add the package to the package list.
How to verify it
Build docker-mux with KEEP_SLAVE_ON=yes and verify libgmock-dev is present.
Signed-off-by: Longxiang Lyu <lolv@microsoft.com>
Why I did it
Smartmontools 6.6 has an issue with reading SMART info of nvme SSD
Smartmontools can be installed with apt-get, no need to build and install
How I did it
Use apt-get to install smartmontools 7.2-1
Remove previous make files for smartmontools 6.6
How to verify it
verify with "smartctl" can read out correct SMART info on NVME ssd.
verify "show platform ssdhealth" can still work
Signed-off-by: Kebo Liu <kebol@nvidia.com>
As part of this, update the isc-dhcp package to match the Bullseye
version (this fixes some compile errors related to BIND), clean up some
of the build dependencies and runtime dependencies for debian packaging,
and use the default Boost version to compile against instead of
explicitly saying using 1.74.
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
* [arm64]: Fix registration of the qemu interpreters
The current code doesn't properly run the container that registers the
qemu interpreters. It checks to see if the container is "known" by
Docker, but that doesn't indicate whether it's been run or not.
Therefore, just always register the qemu interpreters in the kernel, to
make sure the binary that's in the slave images that we build is used.
* [build]: Reduce the number of python calls
Modify the BLDENV and PROJECT_ROOT variables in slave.mk to be
immediate execution instead of lazy execution. Neither of these
variables should be changing for the duration of the build in each slave
container, so just run it once instead of every time they're referenced.
When running `make configure` for broadcom arm64 (where all of the slave
images are already built) on an amd64 host, this reduces the time spent
in each slave container from 4.5-5 minutes to 2 minutes.
* [sonic-slave]: Upgrade the qemu used for Bullseye arm64 to 6.1.0
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
- Add INCLUDE_PINS to config to enable/disable container
- Add Docker files and supporting resources
- Add sonic-pins submodule and associated make files
Submission containing materials of a third party:
Copyright Google LLC; Licensed under Apache 2.0
#### Why I did it
Adds P4RT container to SONiC for PINS
The P4RT app is covered by this HLD:
https://github.com/pins/SONiC/blob/master/doc/pins/p4rt_app_hld.md
#### How I did it
Followed the pattern and templates used for other SONiC applications
#### How to verify it
Build SONiC with INCLUDE_P4RT set to "y".
Verify that the resulting build has a container called "p4rt" running.
You can verify that the service is up by running the following command on the SONiC switch:
```bash
sudo netstat -lpnt | grep p4rt
```
You should see the service listening on TCP port 9559.
#### Which release branch to backport (provide reason below if selected)
None
#### Description for the changelog
Build P4RT container for PINS
This pull request integrate audisp-tacplus to SONiC for per-command accounting.
#### Why I did it
To support TACACS per-command accounting, we integrate audisp-tacplus project to sonic.
#### How I did it
1. Add auditd service to SONiC
2. Port and patch audisp-tacplus to SONiC
#### How to verify it
UT with CUnit to cover all new code in usersecret-filter.c
Also pass all current UT.
#### Which release branch to backport (provide reason below if selected)
N/A
#### Description for the changelog
Add audisp-tacplus for per-command accounting.
#### A picture of a cute animal (not mandatory but encouraged)
for compile error when build systemd-sonic-generator_1.0.0_arm64.deb on qemu arm64 bullseye.
```
boost::filesystem::copy_file: Function not implemented: "tests/testfiles/single_inst.service", "tests/ssg-test/systemd/single_inst.service"
boost::filesystem::copy_file: Function not implemented: "tests/testfiles/multi_inst_b.service", "tests/ssg-test/systemd/multi_inst_b.service"
boost::filesystem::copy_file: Function not implemented: "tests/testfiles/multi_inst_a.service", "tests/ssg-test/systemd/multi_inst_a.service"
boost::filesystem::copy_file: Function not implemented: "tests/testfiles/multi_inst_b@.service", "tests/ssg-test/systemd/multi_inst_b@.service"
boost::filesystem::copy_file: Function not implemented: "tests/testfiles/multi_inst_a@.service", "tests/ssg-test/systemd/multi_inst_a@.service"
boost::filesystem::copy_file: Function not implemented: "tests/testfiles/test.timer", "tests/ssg-test/systemd/test.timer"
boost::filesystem::copy_file: Function not implemented: "tests/testfiles/test.service", "tests/ssg-test/systemd/test.service"
ssg-test.cc:244: Failure
Expected equality of these values:
fs::exists(path)
Which is: false
expected_result
Which is: true
Failed validation: "tests/ssg-test/generator/multi-user.target.wants/multi_inst_b.service"
```
Co-authored-by: shil <shil@centecnetworks.com>
The recent release of redis 4.0.0 or newer (for python3) breaks sonic-config-engine unit test. Fix to last known good version.
ref: https://pypi.org/project/redis/#history
This commit fixes/avoids the following errors encountered during the
marvell-armhf build for bullseye
- Fix Marvell prestera DMA driver build failure due to kallsyms_lookup_name()
no longer being exported by the updated bullseye kernel. This is a temporary
fix that will be replaced by a future version of the DMA driver.
- Update qemu-user-static version to align with the new glibc version included
in bullseye
- Skip systemd-sonic-generator unit tests to avoid test failures. Root cause is
still TBD
#### Why I did it
Fix the following build errors observed when building marvell-armhf for bullseye
1. Marvell Prestera DMA driver uses kernel API no longer exported
ERROR: modpost: "kallsyms_lookup_name" [/sonic/platform/marvell-armhf/prestera/mrvl-prestera/cpssEnabler/linuxNoKernelModule/drivers//mvDmaDrv.ko] undefined!
2. Old qemu-user-static version does not support semop() leading to following build failure
semop(1): encountered an error: Function not implemented
3. systemd-sonic-generator unit test failure
ssg-test.cc:217: Failure
Expected equality of these values:
find_string_in_file(str_t, target, num_asics)
Which is: false
expected_result
Which is: true
Error validating Before=single_inst.service in test.service
[ FAILED ] SsgMainTest.ssg_main_40_npu (20 ms)
[----------] 4 tests from SsgMainTest (36 ms total)
[----------] Global test environment tear-down
[==========] 10 tests from 3 test suites ran. (54 ms total)
[ PASSED ] 7 tests.
[ FAILED ] 3 tests, listed below:
[ FAILED ] SsgMainTest.ssg_main_single_npu
[ FAILED ] SsgMainTest.ssg_main_10_npu
[ FAILED ] SsgMainTest.ssg_main_40_npu
3 FAILED TESTS
1. Fix build for armhf and arm64
2. upgrade centec tsingma bsp support to 5.10 kernel
3. modify centec platform driver for linux 5.10
Co-authored-by: Shi Lei <shil@centecnetworks.com>
This pull request add plugin support library to bash.
And we will create a TACACS+ plugin for bash in an other PR, which will bring per command authorization feature to bash.
Why I did it
To support TACACS per command authorization, we check user command before execute it.
How I did it
Add plugin support to bash.
How to verify it
UT with CUnit under bash project cover all new code in plugin.c.
Also pass all current UT.
Which release branch to backport (provide reason below if selected)
N/A
Description for the changelog
Add plugin support to bash.
When using dpkg with the --root flag to install a deb package in a
chroot, dpkg checks to see if the users and groups specified in the
/var/lib/dpkg/statoverride file are valid. The problem is, it checks
against the host system's /etc/passwd and /etc/group files, instead of
/etc/passwd and /etc/group inside the chroot.
In the slave image for Buster, cron appears to have been automatically
installed, and so the crontab group existed. This doesn't appear to be
true for Bullseye, so explicitly install it. This makes sure that the
crontab group exists on the slave image itself.
Also install the mock python 3 package, this is needed by some test.
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
This will be used to build our image as well as tools that need to go
into this image.
Notable changes from Buster:
* Python 2/pip2 module installations have been removed, since nothing
besides the main Python 2 binary (and virtualenv support) is now
available through Bullseye.
* In the cases where both the main library package and the development
package are being installed, now, only the dev package is specified. The
main library is typically marked as a dependency of the dev package.
This reduces the number of changes we have to make as SONAMEs change.
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
xumia
kellyyeh
Liu Shilong
Kamil Cudnik
jcaiMR
mssonicbld
Saikrishna Arcot
Guilt
Lior Avramov
jhli-cisco
Konstantin Vasin
Mai Bui
Yakiv Huryk
Zain Budhwani
gregshpit
Alexander Allen
Sachin Naik
Longxiang Lyu
Kebo Liu
Qi Luo
Brian O'Connor
liuh-80
LuiSzee
dflynn-Nokia
KostiantynYarovyiBf
donNewtonAlpha
Guohan Lu