Merge branch 'master' into mellanox_security

.azure-pipelines/docker-sonic-slave-template.yml

@@ -10,6 +10,9 @@ parameters:
  - amd64
  - armhf
  - arm64
+- name: march
+ type: string
+ default: ''
 - name: dist
  type: string
  values:
@@ -32,89 +35,44 @@ parameters:
  - sonicbld-armhf
 
 jobs:
-- job: Build_${{ parameters.dist }}_${{ parameters.arch }}
+- job: Build_${{ parameters.dist }}_${{ parameters.march }}${{ parameters.arch }}
  timeoutInMinutes: 360
+ variables:
+ - template: /.azure-pipelines/template-variables.yml@buildimage
+ - template: /.azure-pipelines/azure-pipelines-repd-build-variables.yml@buildimage
  pool: ${{ parameters.pool }}
  steps:
  - template: cleanup.yml
- - ${{ if eq(variables['Build.Reason'], 'PullRequest') }}:
- - template: template-clean-sonic-slave.yml
- - ${{ else }}:
- - template: '/.azure-pipelines/template-clean-sonic-slave.yml@buildimage'
+ - template: /.azure-pipelines/template-clean-sonic-slave.yml@buildimage
  - checkout: self
  clean: true
  submodules: recursive
+ - task: Docker@2
+ displayName: Login to ACR
+ inputs:
+ command: login
+ containerRegistry: ${{ parameters.registry_conn }}
  - bash: |
  set -ex
+ image_tag=$(BLDENV=${{ parameters.dist }} make -f Makefile.work showtag PLATFORM=generic PLATFORM_ARCH=${{ parameters.arch }} | grep sonic-slave | tail -n 1)
+ image_latest=$(echo $(echo $image_tag | awk -F: '{print$1}'):latest)
+ docker rmi $image_tag || true
 
- SLAVE_DIR=sonic-slave-${{ parameters.dist }}
- if [ x${{ parameters.pool }} == x"sonicbld" ]; then
- if [ x${{ parameters.arch }} == x"amd64" ]; then
- SLAVE_BASE_IMAGE=${SLAVE_DIR}
- SLAVE_BASE_IMAGE_UPLOAD=${SLAVE_DIR}
- elif [ x${{ parameters.pool }} == x"sonicbld" ]; then
- SLAVE_BASE_IMAGE=${SLAVE_DIR}-march-${{ parameters.arch }}
- SLAVE_BASE_IMAGE_UPLOAD=${SLAVE_DIR}-march-${{ parameters.arch }}
- fi
- elif [[ x${{ parameters.pool }} == x"sonicbld-armhf" && x${{ parameters.arch }} == x"armhf" ]]; then
- SLAVE_BASE_IMAGE=${SLAVE_DIR}
- SLAVE_BASE_IMAGE_UPLOAD=${SLAVE_DIR}-armhf
- elif [[ x${{ parameters.pool }} == x"sonicbld-arm64" && x${{ parameters.arch }} == x"arm64" ]]; then
- SLAVE_BASE_IMAGE=${SLAVE_DIR}
- SLAVE_BASE_IMAGE_UPLOAD=${SLAVE_DIR}-arm64
- else
- echo "do not support build ${{ parameters.arch }} on ${{ parameters.pool }}"
- exit 1
+ if [[ "$(Build.Reason)" =~ [a-zA-Z]*CI ]] && docker pull ${{ parameters.registry_url }}/${image_tag};then
+ exit 0
  fi
 
- if [ x"$(Build.SourceBranchName)" == x"202012" ]; then
- BUILD_OPTIONS = 'SONIC_VERSION_CONTROL_COMPONENTS=deb,py2,py3,web,git,docker'
+ DOCKER_DATA_ROOT_FOR_MULTIARCH=/data/march/docker BLDENV=${{ parameters.dist }} make -f Makefile.work configure PLATFORM=generic PLATFORM_ARCH=${{ parameters.arch }} $args || docker image ls $image_tag
+ if [[ "$(Build.Reason)" == "PullRequest" ]];then
+ exit 0
  fi
 
- tmpfile=$(mktemp)
-
- echo ${{ parameters.arch }} > .arch
-
- DOCKER_DATA_ROOT_FOR_MULTIARCH=/data/march/docker BLDENV=${{ parameters.dist }} $(BUILD_OPTIONS) make -f Makefile.work sonic-slave-build | tee $tmpfile
- SLAVE_BASE_TAG=$(grep "^Checking sonic-slave-base image:" $tmpfile | awk -F ':' '{print $3}')
- SLAVE_TAG=$(grep "^Checking sonic-slave image:" $tmpfile | awk -F ':' '{print $3}')
-
- mkdir -p target
-
- docker tag $SLAVE_BASE_IMAGE:$SLAVE_BASE_TAG $REGISTRY_SERVER/$SLAVE_BASE_IMAGE_UPLOAD:latest
- docker tag $SLAVE_BASE_IMAGE:$SLAVE_BASE_TAG $REGISTRY_SERVER/$SLAVE_BASE_IMAGE_UPLOAD:$SLAVE_BASE_TAG
- if [ "$SLAVE_BASE_IMAGE_UPLOAD" != "$SLAVE_DIR" ]; then
- docker tag $SLAVE_BASE_IMAGE:$SLAVE_BASE_TAG $REGISTRY_SERVER/$SLAVE_DIR:latest-${{ parameters.arch }}
- docker tag $SLAVE_BASE_IMAGE:$SLAVE_BASE_TAG $REGISTRY_SERVER/$SLAVE_DIR:$SLAVE_BASE_TAG
+ docker tag ${image_tag} ${REGISTRY_SERVER}/${image_tag}
+ docker push ${REGISTRY_SERVER}/${image_tag}
+ if [[ "${{ parameters.arch }}" == "amd64" ]];then
+ docker tag ${image_tag} ${REGISTRY_SERVER}/${image_latest}
+ docker push ${REGISTRY_SERVER}/${image_latest}
  fi
- set +x
- echo "##vso[task.setvariable variable=VARIABLE_SLAVE_BASE_IMAGE]$SLAVE_BASE_IMAGE_UPLOAD"
- echo "##vso[task.setvariable variable=VARIABLE_SLAVE_BASE_TAG]$SLAVE_BASE_TAG"
  env:
  REGISTRY_SERVER: ${{ parameters.registry_url }}
  displayName: Build sonic-slave-${{ parameters.dist }}-${{ parameters.arch }}
-
- - task: Docker@2
- condition: ne(variables['Build.Reason'], 'PullRequest')
- displayName: Upload image
- inputs:
- containerRegistry: ${{ parameters.registry_conn }}
- repository: $(VARIABLE_SLAVE_BASE_IMAGE)
- command: push
- ${{ if eq(variables['Build.SourceBranchName'], 'master') }}:
- tags: |
- $(VARIABLE_SLAVE_BASE_TAG)
- latest
- ${{ else }}:
- tags: |
- $(VARIABLE_SLAVE_BASE_TAG)
- - ${{ if ne(parameters.arch, 'amd64') }}:
- - task: Docker@2
- condition: ne(variables['Build.Reason'], 'PullRequest')
- displayName: Upload image ${{ parameters.dist }}
- inputs:
- containerRegistry: ${{ parameters.registry_conn }}
- repository: "sonic-slave-${{ parameters.dist }}"
- command: push
- tags: |
- $(VARIABLE_SLAVE_BASE_TAG) 

.azure-pipelines/docker-sonic-slave.yml

@@ -12,26 +12,28 @@ resources:
  endpoint: sonic-net
 
 schedules:
-- cron: "0 8 * * *"
+- cron: "0 0 * * 0"
+ displayName: Weekly build
  branches:
  include:
  - master
- - 202012
+ - 202???
  always: true
 
-trigger: none
-pr:
+pr: none
+trigger:
+ batch: true
  branches:
  include:
  - master
+ - 202???
  paths:
  include:
- - sonic-slave-jessie
- - sonic-slave-stretch
- - sonic-slave-buster
- - sonic-slave-bullseye
+ - sonic-slave-*
  - src/sonic-build-hooks
- - .azure-pipelines
+ - files/build/versions
+ - Makefile
+ - Makefile.work
 
 parameters:
 - name: 'arches'
@@ -60,15 +62,21 @@ stages:
  - ${{ each dist in parameters.dists }}:
  - ${{ if endswith(variables['Build.DefinitionName'], dist) }}:
  - ${{ each arch in parameters.arches }}:
- - ${{ if eq(variables['Build.Reason'], 'PullRequest') }}:
- - template: docker-sonic-slave-template.yml
- parameters:
- pool: sonicbld
- arch: ${{ arch }}
- dist: ${{ dist }}
- - ${{ else }}:
- - template: '/.azure-pipelines/docker-sonic-slave-template.yml@buildimage'
+ - template: .azure-pipelines/docker-sonic-slave-template.yml@buildimage
+ parameters:
+ pool: sonicbld
+ arch: ${{ arch }}
+ dist: ${{ dist }}
+- stage: Build_march
+ dependsOn: []
+ jobs:
+ - ${{ each dist in parameters.dists }}:
+ - ${{ if endswith(variables['Build.DefinitionName'], dist) }}:
+ - ${{ each arch in parameters.arches }}:
+ - ${{ if ne(arch, 'amd64') }}:
+ - template: .azure-pipelines/docker-sonic-slave-template.yml@buildimage
  parameters:
- pool: sonicbld
+ pool: sonicbld-${{ arch }}
  arch: ${{ arch }}
  dist: ${{ dist }}
+ march: march_

Makefile.work

@@ -34,7 +34,7 @@
 # * Default: yes
 # * Values: yes, no
 # * KERNEL_PROCURE_METHOD: Specifying method of obtaining kernel Debian package: download or build
-# * TELEMETRY_WRITABLE: Enable write/config operations via the gNMI interface.
+# * ENABLE_TRANSLIB_WRITE: Enable translib write/config operations via the gNMI interface.
 # * Default: unset
 # * Values: y
 # * SONIC_DPKG_CACHE_METHOD: Specifying method of obtaining the Debian packages from cache: none or cache
@@ -395,7 +395,7 @@ SONIC_BUILD_INSTRUCTION := make \
  INCLUDE_MACSEC=$(INCLUDE_MACSEC) \
  SONIC_INCLUDE_RESTAPI=$(INCLUDE_RESTAPI) \
  SONIC_INCLUDE_MUX=$(INCLUDE_MUX) \
- TELEMETRY_WRITABLE=$(TELEMETRY_WRITABLE) \
+ ENABLE_TRANSLIB_WRITE=$(ENABLE_TRANSLIB_WRITE) \
  EXTRA_DOCKER_TARGETS=$(EXTRA_DOCKER_TARGETS) \
  BUILD_LOG_TIMESTAMP=$(BUILD_LOG_TIMESTAMP) \
  SONIC_ENABLE_IMAGE_SIGNATURE=$(ENABLE_IMAGE_SIGNATURE) \

azure-pipelines.yml

@@ -113,6 +113,8 @@ stages:
 
  - script: |
  set -x
+ sudo apt-get update
+ sudo apt-get install libyang0.16 -y
  sudo dpkg -i --force-confask,confnew ../libswsscommon_1.0.0_amd64.deb
  sudo dpkg -i ../python3-swsscommon_1.0.0_amd64.deb
  sudo docker load -i ../target/docker-sonic-vs.gz
@@ -137,7 +139,7 @@ stages:
  pool: sonictest
  displayName: "kvmtest-t0-part1"
  timeoutInMinutes: 360
- continueOnError: true
+ continueOnError: false
  steps:
  - template: .azure-pipelines/run-test-template.yml
  parameters:
@@ -151,7 +153,7 @@ stages:
  pool: sonictest
  displayName: "kvmtest-t0-part2"
  timeoutInMinutes: 360
- continueOnError: true
+ continueOnError: false
  steps:
  - template: .azure-pipelines/run-test-template.yml
  parameters:

build_debian.sh

@@ -467,10 +467,16 @@ rm /files/etc/ssh/sshd_config/ClientAliveInterval
 rm /files/etc/ssh/sshd_config/ClientAliveCountMax
 touch /files/etc/ssh/sshd_config/EmptyLineHack
 rename /files/etc/ssh/sshd_config/EmptyLineHack ""
-set /files/etc/ssh/sshd_config/ClientAliveInterval 900
+set /files/etc/ssh/sshd_config/ClientAliveInterval 300
 set /files/etc/ssh/sshd_config/ClientAliveCountMax 1
 ins #comment before /files/etc/ssh/sshd_config/ClientAliveInterval
-set /files/etc/ssh/sshd_config/#comment[following-sibling::*[1][self::ClientAliveInterval]] "Close inactive client sessions after 15 minutes"
+set /files/etc/ssh/sshd_config/#comment[following-sibling::*[1][self::ClientAliveInterval]] "Close inactive client sessions after 5 minutes"
+rm /files/etc/ssh/sshd_config/MaxAuthTries
+set /files/etc/ssh/sshd_config/MaxAuthTries 3
+rm /files/etc/ssh/sshd_config/LogLevel
+set /files/etc/ssh/sshd_config/LogLevel VERBOSE
+rm /files/etc/ssh/sshd_config/Banner
+set /files/etc/ssh/sshd_config/Banner /etc/issue
 save
 quit
 EOF

build_image.sh

@@ -191,6 +191,7 @@ elif [ "$IMAGE_TYPE" = "aboot" ]; then
  zip -g $ABOOT_BOOT_IMAGE .imagehash
  rm .imagehash
  echo "SWI_VERSION=42.0.0" > version
+ echo "BUILD_DATE=$(date -d "${build_date}" -u +%Y%m%dT%H%M%SZ)" >> version
  echo "SWI_MAX_HWEPOCH=2" >> version
  echo "SWI_VARIANT=US" >> version
  zip -g $OUTPUT_ABOOT_IMAGE version