-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add caclmgrd and related files to translate and install control plane ACL rules #1240
Conversation
acls[aclname] = {'policy_desc': aclname, | ||
'ports': acl_intfs, | ||
'type': 'MIRROR' if is_mirror else 'L3', | ||
'service': 'N/A'} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So is this "service" attribute only feasible for CTRLPLANE type? Will orchagent read this field for L3 and MIRROR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is only applicable to CTRLPLANE type. Orchagent currently has no concept of this field, so it is effectively ignored for L3 and MIRROR ACLs.
import syslog | ||
from swsssdk import ConfigDBConnector | ||
except ImportError as err: | ||
raise ImportError("%s - required module not found" % str(err)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This ImportError try/except block is something that was present in many SONiC Python scripts when I first joined the team. It is something I have carried over into new scripts for consistency. It is not necessary, it just presents a clear error message to the user if it fails to import a module and attempts to continue on.
It might be better to simply throw the exception and exit; again, I've simply carried on using it for consistency within the project.
(stdout, stderr) = proc.communicate() | ||
|
||
if proc.returncode != 0: | ||
log_error("Error running command '{}'".format(cmd)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to continue with the following commands when previous command failed? Not quite sure whether to stop or to continue is a better approach, might need to look into detail scenario.
@@ -226,6 +226,8 @@ sudo cp files/sshd/host-ssh-keygen.sh $FILESYSTEM_ROOT/usr/local/bin/ | |||
sudo cp -f files/sshd/sshd.service $FILESYSTEM_ROOT/lib/systemd/system/ssh.service | |||
## Config sshd | |||
sudo augtool --autosave "set /files/etc/ssh/sshd_config/UseDNS no" -r $FILESYSTEM_ROOT | |||
sudo sed -i 's/^ListenAddress ::/#ListenAddress ::/' $FILESYSTEM_ROOT/etc/ssh/sshd_config | |||
sudo sed -i 's/^#ListenAddress 0.0.0.0/ListenAddress 0.0.0.0/' $FILESYSTEM_ROOT/etc/ssh/sshd_config |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why do we need to uncomment these?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We decided to only accept SSH connections over IPv4 interfaces, not IPv6. These two lines accomplish this.
… as control plane ACLs
* github: [minigraph]: Set hostname in all default minigraphs to 'sonic' (sonic-net#1333) Install sonic-platform-common package in platform-monitor docker for ledd (sonic-net#1330) Prevent supervisor from restarting configdb-load.sh (sonic-net#1324) [scripts]: Fix issues with checking status of the DB. Use one approach everywhere. (sonic-net#1323) [Arista7260cx3] Add platform specific reboot tool (sonic-net#1318) Install azure cli into docker-sonic-mgmt (sonic-net#1322) [sonic-py-swsssdk]: Update submodule pointer (sonic-net#1319) [supervisor] Add patch to prevent 'supervisorctl start' command from hanging if system time has rolled backward (sonic-net#1311) Move platform-specific hardware plugin base packages to sonic-platform-common submodule (sonic-net#1301) [baseimage]: Add missing dependency of igb & ixgbe (sonic-net#1316) [snmpagent]: Update sonic-snmpagent submodule (sonic-net#1314) Run docker containers with /tmp and /var/tmp mounted to tmpfs (sonic-net#1313) [Broadcom]: Update Boradcom SAI package to 3.0.3.3-3 (sonic-net#1312) [submodule]: Update sairedis (sonic-net#1310) [snmpagent]: Update sonic-snmpagent submodule (sonic-net#1308) [baseimage]: add mkfs.ext3 and fsck.ext3 in initrd to support ext3 partition (sonic-net#1306) [submodule]: update sonic-sairedis to enable syncd-rpc (sonic-net#1304) [device]: Fix Mellanox sku check (sonic-net#1303) Add support for Accton AS7712-32X platform (sonic-net#1299) [build]: build libsaithrift-dev and docker-ptf-[platform] (sonic-net#1300) [libsaithrift-dev]: Enable building libsaithrift-dev and pythonthrift libraries (sonic-net#1296) [Platform] Update switch configuration files and download link for Ingrasys S9130-32X/S9230-64X (sonic-net#1295) [Delta]: Add psuutil support for ag9032v1 (sonic-net#1298) Revert "[Dell S6100, Z9100] psusutil sysfs attribute changes for hwmon (sonic-net#1264)" (sonic-net#1297) [Dell S6100, Z9100] psusutil sysfs attribute changes for hwmon (sonic-net#1264) [Platform]As7712-32x update for sensors test (sonic-net#1292) Revert "[DHCP relay]: Add patch to always undef VLAN_TCI_PRESENT so as not to treat VLAN-tagged packets differently (sonic-net#1254)" (sonic-net#1291) [[submodule]: Update swss-common (sonic-net#1289) [baseimage]: Install sysfsutils package into SONiC host system (sonic-net#1290) Add caclmgrd and related files to translate and install control plane ACL rules (sonic-net#1240) [mellanox]: Update Mellanox buffers configuration (sonic-net#1263) [platform]: chmod 0644 for *.mk files (sonic-net#1284) [arista]: Update Arista platform modules and mount libraries to snmp docker (sonic-net#1283) [platform]: chmod a+x for debian/rules for platform-modules-delta (sonic-net#1282) Let debootstrap uses the same sources link as apt (sonic-net#1279) [doc]: update sonic-buildimage clone instructions (sonic-net#1278) [image]: Explicitly specify kernel_version as string (sonic-net#1280) Disable autosuspend for USB devices, preventing usb drives to be stopped and then renamed (sonic-net#1275) [platform]: As7712 32x add fancontrol (sonic-net#1270) [Platform] Add psuutil support for Ingrasys S9130-32X (sonic-net#1273) [submodules]: Update swss and utilitiles modules (sonic-net#1276) [Platform] Add psuutil and update submodule for Ingrasys S9100-32X, S8810-32Q, S9200-64X on master branch (sonic-net#1271) [centec]: support sai1.0 (sonic-net#1268) [build]: add build badge for nephos platform (sonic-net#1267) [build]: allow to use http(s) proxy in the build (sonic-net#1265) [Accton AS7816-64X] Add new platform and device for AS7816-64X. (sonic-net#1260) [Platform] Add Ingrasys S9130-32X and S9230-64X with Nephos Switch ASIC (sonic-net#1245) Add 'make reset' target with warning prompt to reset git repo and submodules (sonic-net#1258) [sudoers] Add 'docker ps' to READ_ONLY_CMDS (sonic-net#1259) Add set/get lpmode and mode_rst feature for qsfp (sonic-net#1261) [build] allow user to override the default number of build jobs (sonic-net#1255) [build] make second Accton Debian package extra package of the first one (sonic-net#1257) [arista] Delete sysfs entries for all Arista Digital Power Monitor/Management devices (sonic-net#1256) [DHCP relay]: Add patch to always undef VLAN_TCI_PRESENT so as not to treat VLAN-tagged packets differently (sonic-net#1254) [snmp]: Save S/N in state DB prior to starting service (sonic-net#1246) [device/accton] Correct exception function name (sonic-net#1249) [DHCP relay]: Fix circuit ID and remote ID bugs (sonic-net#1248) [sonic-py-swsssdk]: Update submodule pointer (sonic-net#1253) [swss]: update swss submodule (sonic-net#1244) [broadcom]: update sai to 3.0.3.3-1 (sonic-net#1243)
…heel (#5926) Submodule updates include the following commits: * src/sonic-utilities 9dc58ea...f9eb739 (18): > Remove unnecessary calls to str.encode() now that the package is Python 3; Fix deprecation warning (#1260) > [generate_dump] Ignoring file/directory not found Errors (#1201) > Fixed porstat rate and util issues (#1140) > fix error: interface counters is mismatch after warm-reboot (#1099) > Remove unnecessary calls to str.decode() now that the package is Python 3 (#1255) > [acl-loader] Make list sorting compliant with Python 3 (#1257) > Replace hard-coded fast-reboot with variable. And some typo corrections (#1254) > [configlet][portconfig] Remove calls to dict.has_key() which is not available in Python 3 (#1247) > Remove unnecessary conversions to list() and calls to dict.keys() (#1243) > Clean up LGTM alerts (#1239) > Add 'requests' as install dependency in setup.py (#1240) > Convert to Python 3 (#1128) > Fix mock SonicV2Connector in python3: use decode_responses mode so caller code will be the same as python2 (#1238) > [tests] Do not trim from PATH if we did not append to it; Clean up/fix shebangs in scripts (#1233) > Updates to bgp config and show commands with BGP_INTERNAL_NEIGHBOR table (#1224) > [cli]: NAT show commands newline issue after migrated to Python3 (#1204) > [doc]: Update Command-Reference.md (#1231) > Added 'import sys' in feature.py file (#1232) * src/sonic-py-swsssdk 9d9f0c6...1664be9 (2): > Fix: no need to decode() after redis client scan, so it will work for both python2 and python3 (#96) > FieldValueMap `contains`(`in`) will also work when migrated to libswsscommon(C++ with SWIG wrapper) (#94) - Also fix Python 3-related issues: - Use integer (floor) division in config_samples.py (sonic-config-engine) - Replace print statement with print function in eeprom.py plugin for x86_64-kvm_x86_64-r0 platform - Update all platform plugins to be compatible with both Python 2 and Python 3 - Remove shebangs from plugins files which are not intended to be executable - Replace tabs with spaces in Python plugin files and fix alignment, because Python 3 is more strict - Remove trailing whitespace from plugins files
…heel (sonic-net#5926) Submodule updates include the following commits: * src/sonic-utilities 9dc58ea...f9eb739 (18): > Remove unnecessary calls to str.encode() now that the package is Python 3; Fix deprecation warning (sonic-net#1260) > [generate_dump] Ignoring file/directory not found Errors (sonic-net#1201) > Fixed porstat rate and util issues (sonic-net#1140) > fix error: interface counters is mismatch after warm-reboot (sonic-net#1099) > Remove unnecessary calls to str.decode() now that the package is Python 3 (sonic-net#1255) > [acl-loader] Make list sorting compliant with Python 3 (sonic-net#1257) > Replace hard-coded fast-reboot with variable. And some typo corrections (sonic-net#1254) > [configlet][portconfig] Remove calls to dict.has_key() which is not available in Python 3 (sonic-net#1247) > Remove unnecessary conversions to list() and calls to dict.keys() (sonic-net#1243) > Clean up LGTM alerts (sonic-net#1239) > Add 'requests' as install dependency in setup.py (sonic-net#1240) > Convert to Python 3 (sonic-net#1128) > Fix mock SonicV2Connector in python3: use decode_responses mode so caller code will be the same as python2 (sonic-net#1238) > [tests] Do not trim from PATH if we did not append to it; Clean up/fix shebangs in scripts (sonic-net#1233) > Updates to bgp config and show commands with BGP_INTERNAL_NEIGHBOR table (sonic-net#1224) > [cli]: NAT show commands newline issue after migrated to Python3 (sonic-net#1204) > [doc]: Update Command-Reference.md (sonic-net#1231) > Added 'import sys' in feature.py file (sonic-net#1232) * src/sonic-py-swsssdk 9d9f0c6...1664be9 (2): > Fix: no need to decode() after redis client scan, so it will work for both python2 and python3 (sonic-net#96) > FieldValueMap `contains`(`in`) will also work when migrated to libswsscommon(C++ with SWIG wrapper) (sonic-net#94) - Also fix Python 3-related issues: - Use integer (floor) division in config_samples.py (sonic-config-engine) - Replace print statement with print function in eeprom.py plugin for x86_64-kvm_x86_64-r0 platform - Update all platform plugins to be compatible with both Python 2 and Python 3 - Remove shebangs from plugins files which are not intended to be executable - Replace tabs with spaces in Python plugin files and fix alignment, because Python 3 is more strict - Remove trailing whitespace from plugins files
The `requests` package is used by a couple modules (config/kube.py and scripts/neighbor_advertiser), but it was not specified as an install-time dependency. Now that the package is built as Python 3, some commands are crashing with `ModuleNotFoundError: No module named 'requests'`.
add vlan package for the command line vconfig
…tically (#16291) #### Why I did it src/sonic-sairedis ``` * 2ebbd48 - (HEAD -> 202211, origin/202211) [syncd] Add pre match logic for acl entry (#1240) (11 hours ago) [Kamil Cudnik] * 1db8726 - Use SAI_STATUS_ITEM_NOT_FOUND when key not found (#1224) (11 hours ago) [Lawrence Lee] * 9e4071b - [CI]: Fix collect log error in azp template. (#1282) (4 days ago) [Nazarii Hnydyn] ``` #### How I did it #### How to verify it #### Description for the changelog
- What I did