Changes in sonic-buildimage to support the NAT feature (sonic-net#3494)

* Changes in sonic-buildimage for the NAT feature
- Docker for NAT
- installing the required tools iptables and conntrack for nat

Signed-off-by: [email protected]

* Add redis-tools dependencies in the docker nat compilation

* Addressed review comments

* add natsyncd to warm-boot finalizer list

* addressed review comments

* using swsscommon.DBConnector instead of swsssdk.SonicV2Connector

* Enable NAT application in docker-sonic-vs

Author: kirankella

build_debian.sh

@@ -272,7 +272,8 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in
     cgroup-tools            \
     ipmitool                \
     ndisc6                  \
-    makedumpfile
+    makedumpfile            \
+    conntrack
 
 
 if [[ $CONFIGURED_ARCH == amd64 ]]; then

dockers/docker-nat/Dockerfile.j2

@@ -0,0 +1,46 @@
+{% from "dockers/dockerfile-macros.j2" import install_debian_packages, copy_files %}
+FROM docker-config-engine-stretch
+
+ARG docker_container_name
+RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%syslogtag%/;" /etc/rsyslog.conf
+
+RUN echo
+
+## Make apt-get non-interactive
+ENV DEBIAN_FRONTEND=noninteractive
+
+## Install redis-tools dependencies
+## TODO: implicitly install dependencies
+RUN apt-get update        \
+&& apt-get install -f -y \
+       libdbus-1-3       \
+       libdaemon0        \
+       libjansson4       \
+       libpython2.7      \
+       libatomic1        \
+       libjemalloc1      \
+       liblua5.1-0       \
+       lua-bitop         \
+       lua-cjson         \
+       libelf1           \
+       libmnl0           \
+       bridge-utils      \
+       conntrack
+
+{% if docker_nat_debs.strip() -%}
+# Copy locally-built Debian package dependencies
+{{copy_files ("debs/", docker_nat_debs.split(' '), "/debs/") }}
+
+# Install locally-built Debian packages and implicitly install their dependencies
+{{ install_debian_packages(docker_nat_debs.split(' ')) }}
+{%- endif %}
+
+COPY ["start.sh", "/usr/bin/"]
+COPY ["supervisord.conf", "/etc/supervisor/conf.d/"]
+COPY ["restore_nat_entries.py", "/usr/bin/"]
+
+RUN apt-get clean -y; apt-get autoclean -y; apt-get autoremove -y
+RUN rm -rf /debs
+
+ENTRYPOINT ["/usr/bin/supervisord"]
+

dockers/docker-nat/base_image_files/natctl

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+# -t option needed only for shell, not for commands
+
+docker exec -i nat natctl "$@"

dockers/docker-nat/restore_nat_entries.py

@@ -0,0 +1,104 @@
+#!/usr/bin/env python
+
+""""
+Description: restore_nat_entries.py -- restoring nat entries table into kernel during system warm reboot.
+    The script is started by supervisord in nat docker when the docker is started.
+    It does not do anything in case neither system nor nat warm restart is enabled.
+    In case nat warm restart enabled only, it sets the stateDB flag so natsyncd can continue
+    the reconciation process.
+    In case system warm reboot is enabled, it will try to restore the nat entries table into kernel
+    , then it sets the stateDB flag for natsyncd to continue the
+    reconciliation process.
+"""
+
+import sys
+import subprocess
+from swsscommon import swsscommon
+import logging
+import logging.handlers
+import re
+import os
+
+WARM_BOOT_FILE_DIR = '/var/warmboot/nat/'
+NAT_WARM_BOOT_FILE = 'nat_entries.dump'
+IP_PROTO_TCP       = '6'
+
+MATCH_CONNTRACK_ENTRY = '^(\w+)\s+(\d+).*src=([\d.]+)\s+dst=([\d.]+)\s+sport=(\d+)\s+dport=(\d+).*src=([\d.]+)\s+dst=([\d.]+)\s+sport=(\d+)\s+dport=(\d+)'
+REDIS_SOCK = "/var/run/redis/redis.sock"
+
+logger = logging.getLogger(__name__)
+logger.setLevel(logging.INFO)
+handler = logging.handlers.SysLogHandler(address = '/dev/log')
+logger.addHandler(handler)
+
+def add_nat_conntrack_entry_in_kernel(ipproto, srcip, dstip, srcport, dstport, natsrcip, natdstip, natsrcport, natdstport):
+    # pyroute2 doesn't have support for adding conntrack entries via netlink yet. So, invoking the conntrack utility to add the entries.
+    state = ''
+    if (ipproto == IP_PROTO_TCP):
+        state = ' --state ESTABLISHED '
+    ctcmd = 'conntrack -I -n ' + natdstip + ':' + natdstport + ' -g ' + natsrcip + ':' + natsrcport + \
+                       ' --protonum ' + ipproto + state + ' --timeout 600 --src ' + srcip + ' --sport ' + srcport + \
+                       ' --dst ' + dstip + ' --dport ' + dstport + ' -u ASSURED'
+    subprocess.call(ctcmd, shell=True)
+    logger.info("Restored NAT entry: {}".format(ctcmd))
+
+# Set the statedb "NAT_RESTORE_TABLE|Flags", so natsyncd can start reconciliation
+def set_statedb_nat_restore_done():
+    statedb = swsscommon.DBConnector(swsscommon.STATE_DB, REDIS_SOCK, 0)
+    tbl = swsscommon.Table(statedb, "NAT_RESTORE_TABLE")
+    fvs = swsscommon.FieldValuePairs([("restored", "true")])
+    tbl.set("Flags", fvs)
+    return
+
+# This function is to restore the kernel nat entries based on the saved nat entries.
+def restore_update_kernel_nat_entries(filename):
+    # Read the entries from nat_entries.dump file and add them to kernel
+    conntrack_match_pattern = re.compile(r'{}'.format(MATCH_CONNTRACK_ENTRY))
+    with open(filename, 'r') as fp:
+        for line in fp:
+            ctline = conntrack_match_pattern.findall(line)
+            if not ctline:
+                continue
+            cmdargs = list(ctline.pop(0))
+            proto = cmdargs.pop(0)
+            if proto not in ('tcp', 'udp'):
+               continue
+            add_nat_conntrack_entry_in_kernel(*cmdargs)
+
+def main():
+    logger.info("restore_nat_entries service is started")
+
+    # Use warmstart python binding to check warmstart information
+    warmstart = swsscommon.WarmStart()
+    warmstart.initialize("natsyncd", "nat")
+    warmstart.checkWarmStart("natsyncd", "nat", False)
+
+    # if swss or system warm reboot not enabled, don't run
+    if not warmstart.isWarmStart():
+        logger.info("restore_nat_entries service is skipped as warm restart not enabled")
+        return
+
+    # NAT restart not system warm reboot, set statedb directly
+    if not warmstart.isSystemWarmRebootEnabled():
+        set_statedb_nat_restore_done()
+        logger.info("restore_nat_entries service is done as system warm reboot not enabled")
+        return
+
+    # Program the nat conntrack entries in the kernel by reading the
+    # entries from nat_entries.dump
+    try:
+        restore_update_kernel_nat_entries(WARM_BOOT_FILE_DIR + NAT_WARM_BOOT_FILE)
+    except Exception as e:
+        logger.exception(str(e))
+        sys.exit(1)
+
+    # Remove the dump file after restoration
+    os.remove(WARM_BOOT_FILE_DIR + NAT_WARM_BOOT_FILE) 
+
+    # set statedb to signal other processes like natsyncd
+    set_statedb_nat_restore_done()
+    logger.info("restore_nat_entries service is done for system warmreboot")
+    return
+
+if __name__ == '__main__':
+    main()

dockers/docker-nat/start.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+rm -f /var/run/rsyslogd.pid
+rm -f /var/run/nat/*
+
+mkdir -p /var/warmboot/nat
+
+supervisorctl start rsyslogd
+
+supervisorctl start natmgrd
+
+supervisorctl start natsyncd
+
+supervisorctl start restore_nat_entries
+

dockers/docker-nat/supervisord.conf

@@ -0,0 +1,47 @@
+[supervisord]
+logfile_maxbytes=1MB
+logfile_backups=2
+nodaemon=true
+
+[program:start.sh]
+command=/usr/bin/start.sh
+priority=1
+autostart=true
+autorestart=false
+stdout_logfile=syslog
+stderr_logfile=syslog
+
+[program:rsyslogd]
+command=/usr/sbin/rsyslogd -n
+priority=2
+autostart=false
+autorestart=false
+stdout_logfile=syslog
+stderr_logfile=syslog
+
+[program:natmgrd]
+command=/usr/bin/natmgrd
+priority=3
+autostart=false
+autorestart=false
+stdout_logfile=syslog
+stderr_logfile=syslog
+
+[program:natsyncd]
+command=/usr/bin/natsyncd
+priority=4
+autostart=false
+autorestart=false
+stdout_logfile=syslog
+stderr_logfile=syslog
+
+[program:restore_nat_entries]
+command=/usr/bin/restore_nat_entries.py
+priority=5
+autostart=false
+autorestart=false
+startsecs=0
+startretries=0
+stdout_logfile=syslog
+stderr_logfile=syslog
+

dockers/docker-orchagent/Dockerfile.j2

@@ -20,7 +20,8 @@ RUN apt-get update &&       \
         tcpdump             \
         libelf1             \
         libmnl0             \
-        bridge-utils
+        bridge-utils        \
+        conntrack
 
 {% if ( CONFIGURED_ARCH == "armhf" or CONFIGURED_ARCH == "arm64" ) %}
 ## Fix for gcc/python not found in arm docker

files/build_templates/nat.service.j2

@@ -0,0 +1,15 @@
+[Unit]
+Description=NAT container
+Requires=updategraph.service swss.service
+After=updategraph.service swss.service syncd.service
+Before=ntp-config.service
+
+[Service]
+User={{ sonicadmin_user }}
+ExecStartPre=/usr/bin/{{docker_container_name}}.sh start
+ExecStart=/usr/bin/{{docker_container_name}}.sh wait
+ExecStop=/usr/bin/{{docker_container_name}}.sh stop
+
+[Install]
+WantedBy=multi-user.target swss.service
+

files/build_templates/sonic_debian_extension.j2

@@ -81,6 +81,10 @@ sudo mkdir -p $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
 sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/ifupdown2_*.deb || \
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
 
+# Install ipables  (and its dependencies via 'apt-get -y install -f')
+sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/iptables_*.deb || \
+    sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
+
 # Install dependencies for SONiC config engine
 sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install \
     python-dev     \

files/image_config/warmboot-finalizer/finalize-warmboot.sh

@@ -3,7 +3,7 @@
 VERBOSE=no
 
 # Check components
-COMP_LIST="orchagent neighsyncd bgp"
+COMP_LIST="orchagent neighsyncd bgp natsyncd"
 EXP_STATE="reconciled"
 
 ASSISTANT_SCRIPT="/usr/bin/neighbor_advertiser"