Change to call python module not cli to set fips mode

sonic-net · Jul 16, 2023 · cfbdef2 · cfbdef2
1 parent 5258b0f
commit cfbdef2
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 32 deletions.
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -75,30 +75,21 @@ stages:
         sudo dpkg -i libnl-nf-3-200_*.deb
         sudo dpkg -i libhiredis0.14_*.deb
         sudo dpkg -i libyang_1.0.73_*.deb
-      workingDirectory: $(Pipeline.Workspace)/target/debs/bullseye/
-      displayName: 'Install Debian dependencies'
-
-    - task: DownloadPipelineArtifact@2
-      inputs:
-        source: specific
-        project: build
-        pipeline: 9
-        artifact: sonic-swss-common
-        runVersion: 'latestFromBranch'
-        runBranch: 'refs/heads/$(BUILD_BRANCH)'
-      displayName: "Download sonic swss common deb packages"
-
-    - script: |
-        set -xe
         sudo dpkg -i libswsscommon_1.0.0_amd64.deb
         sudo dpkg -i python3-swsscommon_1.0.0_amd64.deb
-      workingDirectory: $(Pipeline.Workspace)/
-      displayName: 'Install swss-common dependencies'
+      workingDirectory: $(Pipeline.Workspace)/target/debs/bullseye/
+      displayName: 'Install Debian dependencies'
 
     - script: |
         set -xe
+        sudo pip3 install enum34
         sudo pip3 install swsssdk-2.0.1-py3-none-any.whl
         sudo pip3 install sonic_py_common-1.0-py3-none-any.whl
+        sudo pip3 install sonic_yang_mgmt-1.0-py3-none-any.whl
+        sudo pip3 install sonic_yang_models-1.0-py3-none-any.whl
+        sudo pip3 install sonic_config_engine-1.0-py3-none-any.whl
+        sudo pip3 install sonic_platform_common-1.0-py3-none-any.whl
+        sudo pip3 install sonic_utilities-1.2-py3-none-any.whl
       workingDirectory: $(Pipeline.Workspace)/target/python-wheels/bullseye/
       displayName: 'Install Python dependencies'
 

diff --git a/scripts/hostcfgd b/scripts/hostcfgd
@@ -18,6 +18,7 @@ from sonic_py_common import device_info
 from sonic_py_common.general import check_output_pipe
 from swsscommon.swsscommon import ConfigDBConnector, DBConnector, Table, SonicDBConfig
 from swsscommon import swsscommon
+from sonic_installer import bootloader
 
 # FILE
 PAM_AUTH_CONF = "/etc/pam.d/common-auth-sonic"
@@ -1869,6 +1870,9 @@ class FipsCfg(object):
 
         # Restart the services required and in the running state
         output = run_cmd_output(['sudo', 'systemctl', '-t', 'service', '--state=running', '--no-pager', '-o', 'json'])
+        if not output:
+            return
+
         services = [s['unit'] for s in json.loads(output)]
         for service in self.restart_services:
             if service in services or service + '.service' in services:
@@ -1877,16 +1881,14 @@ class FipsCfg(object):
 
 
     def update_enforce_config(self):
-        fips_state = run_cmd_output(['sudo', 'sonic-installer', 'get-fips'])
-        next_enforced = 'enabled' in fips_state
+        loader = bootloader.get_bootloader()
+        image = loader.get_next_image()
+        next_enforced = loader.get_fips(image)
         if next_enforced == self.enforce:
             syslog.syslog(syslog.LOG_INFO, f'FipsCfg: skipped to configure the enforce option {self.enforce}, since the config has already been set.')
             return
-        fips_option = '--disable-fips'
-        if self.enforce:
-            fips_option = '--enable-fips'
         syslog.syslog(syslog.LOG_INFO, f'FipsCfg: update the FIPS enforce option {self.enforce}.')
-        run_cmd(['sudo', 'sonic-installer', 'set-fips', fips_option])
+        loader.set_fips(image, self.enforce)
 
 class HostConfigDaemon:
     def __init__(self):

diff --git a/setup.py b/setup.py
@@ -5,7 +5,7 @@
 from packaging import version
 
 # sonic_dependencies, version requirement only supports '>='
-sonic_dependencies = ['sonic-py-common']
+sonic_dependencies = ['sonic-py-common', 'sonic-utilities']
 for package in sonic_dependencies:
     try:
         package_dist = pkg_resources.get_distribution(package.split(">=")[0])

diff --git a/tests/common/mock_bootloader.py b/tests/common/mock_bootloader.py
@@ -0,0 +1,13 @@
+class MockBootloader(object):
+
+    def __init__(self, enforce=False):
+        self.enforce = enforce
+
+    def get_next_image(self):
+        return ""
+
+    def set_fips(self, image, enable):
+        self.enforce = enable
+
+    def get_fips(self, image):
+        return self.enforce
diff --git a/tests/hostcfgd/hostcfgd_fips_test.py b/tests/hostcfgd/hostcfgd_fips_test.py
@@ -10,6 +10,7 @@
 from parameterized import parameterized
 from unittest import TestCase, mock
 from tests.common.mock_configdb import MockConfigDb, MockDBConnector
+from tests.common.mock_bootloader import MockBootloader
 from sonic_py_common.general import getstatusoutput_noshell
 
 test_path = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
@@ -62,10 +63,11 @@ def assert_fips_runtime_config(self, result='1'):
         with open(hostcfgd.OPENSSL_FIPS_CONFIG_FILE) as f:
             assert f.read() == result
 
+    @mock.patch('sonic_installer.bootloader.get_bootloader', side_effect=[MockBootloader()])
     @mock.patch('syslog.syslog')
-    @mock.patch('subprocess.check_output', side_effect=['', json.dumps(running_services)])
+    @mock.patch('subprocess.check_output', side_effect=[json.dumps(running_services)])
     @mock.patch('subprocess.check_call')
-    def test_hostcfgd_fips_enable(self, mock_check_call, mock_check_output, mock_syslog):
+    def test_hostcfgd_fips_enable(self, mock_check_call, mock_check_output, mock_syslog, mock_get_bootloader):
         with open(hostcfgd.PROC_CMDLINE, 'w') as f:
             f.write('swiotlb=65536 sonic_fips=0')
         self.test_data['FIPS']['global']['enable'] = 'true'
@@ -78,10 +80,11 @@ def test_hostcfgd_fips_enable(self, mock_check_call, mock_check_output, mock_sys
         mock_syslog.assert_called_with(original_syslog.LOG_DEBUG, 'FipsCfg: update fips option complete.')
         self.assert_fips_runtime_config()
 
+    @mock.patch('sonic_installer.bootloader.get_bootloader', side_effect=[MockBootloader()])
     @mock.patch('syslog.syslog')
-    @mock.patch('subprocess.check_output', side_effect=['', json.dumps(running_services)])
+    @mock.patch('subprocess.check_output', side_effect=[json.dumps(running_services)])
     @mock.patch('subprocess.check_call')
-    def test_hostcfgd_fips_disable(self, mock_check_call, mock_check_output, mock_syslog):
+    def test_hostcfgd_fips_disable(self, mock_check_call, mock_check_output, mock_syslog, mock_get_bootloader):
         with open(hostcfgd.PROC_CMDLINE, 'w') as f:
             f.write('swiotlb=65536 sonic_fips=0')
         with open(hostcfgd.OPENSSL_FIPS_CONFIG_FILE, 'w') as f:
@@ -96,10 +99,11 @@ def test_hostcfgd_fips_disable(self, mock_check_call, mock_check_output, mock_sy
         mock_syslog.assert_called_with(original_syslog.LOG_DEBUG, 'FipsCfg: update fips option complete.')
         self.assert_fips_runtime_config('0')
 
+    @mock.patch('sonic_installer.bootloader.get_bootloader', return_value=MockBootloader())
     @mock.patch('syslog.syslog')
-    @mock.patch('subprocess.check_output', side_effect=['FIPS is disabled', json.dumps(running_services)])
+    @mock.patch('subprocess.check_output', side_effect=[json.dumps(running_services)])
     @mock.patch('subprocess.check_call')
-    def test_hostcfgd_fips_enforce(self, mock_check_call, mock_check_output, mock_syslog):
+    def test_hostcfgd_fips_enforce(self, mock_check_call, mock_check_output, mock_syslog, mock_get_bootloader):
         with open(hostcfgd.PROC_CMDLINE, 'w') as f:
             f.write('swiotlb=65536 sonic_fips=0')
         self.test_data['FIPS']['global']['enforce'] = 'true'
@@ -112,10 +116,11 @@ def test_hostcfgd_fips_enforce(self, mock_check_call, mock_check_output, mock_sy
         mock_syslog.assert_called_with(original_syslog.LOG_DEBUG, 'FipsCfg: update fips option complete.')
         self.assert_fips_runtime_config()
 
+    @mock.patch('sonic_installer.bootloader.get_bootloader', return_value=MockBootloader(True))
     @mock.patch('syslog.syslog')
-    @mock.patch('subprocess.check_output', side_effect=['FIPS is enabled', json.dumps(running_services)])
+    @mock.patch('subprocess.check_output', side_effect=[json.dumps(running_services)])
     @mock.patch('subprocess.check_call')
-    def test_hostcfgd_fips_enforce_reconf(self, mock_check_call, mock_check_output, mock_syslog):
+    def test_hostcfgd_fips_enforce_reconf(self, mock_check_call, mock_check_output, mock_syslog, mock_get_bootloader):
         with open(hostcfgd.PROC_CMDLINE, 'w') as f:
             f.write('swiotlb=65536 sonic_fips=1')
         self.test_data['FIPS']['global']['enforce'] = 'true'