diff --git a/dockers/docker-snmp-sv2/Dockerfile.j2 b/dockers/docker-snmp-sv2/Dockerfile.j2 index 1063f6d24b4..c931e2ed9d6 100644 --- a/dockers/docker-snmp-sv2/Dockerfile.j2 +++ b/dockers/docker-snmp-sv2/Dockerfile.j2 @@ -1,4 +1,4 @@ -FROM docker-config-engine +FROM docker-config-engine-stretch ARG docker_container_name RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%syslogtag%/;" /etc/rsyslog.conf @@ -19,6 +19,10 @@ RUN apt-get install -y curl ca-certificates # Install gcc which is required for installing hiredis RUN apt-get install -y gcc make +# Install libdpkg-perl which is required for python3.6-3.6.0 as one of its specs i.e. no-pie-compile.specs +# The file referenced (`/usr/share/dpkg/no-pie-compile.specs`) is in the `libdpkg-perl` package on Debian +RUN apt-get install -y libdpkg-perl + {% if docker_snmp_sv2_debs.strip() -%} # Copy locally-built Debian package dependencies {%- for deb in docker_snmp_sv2_debs.split(' ') %} @@ -56,7 +60,7 @@ RUN pip install /python-wheels/{{ whl }} RUN python3.6 -m sonic_ax_impl install # Clean up -RUN apt-get -y purge libpython3.6-dev curl gcc make +RUN apt-get -y purge libpython3.6-dev curl gcc make libdpkg-perl RUN apt-get clean -y && apt-get autoclean -y && apt-get autoremove -y --purge RUN find / | grep -E "__pycache__" | xargs rm -rf RUN rm -rf /debs /python-wheels ~/.cache diff --git a/files/build_templates/snmp.service.j2 b/files/build_templates/snmp.service.j2 index b00c2107702..416156d5a89 100644 --- a/files/build_templates/snmp.service.j2 +++ b/files/build_templates/snmp.service.j2 @@ -1,6 +1,7 @@ [Unit] Description=SNMP container -Requires=updategraph.service swss.service +Requires=updategraph.service +Requisite=swss.service After=updategraph.service swss.service Before=ntp-config.service diff --git a/rules/docker-snmp-sv2.mk b/rules/docker-snmp-sv2.mk index 2da1e8e685e..37a640284d8 100644 --- a/rules/docker-snmp-sv2.mk +++ b/rules/docker-snmp-sv2.mk @@ -5,9 +5,10 @@ $(DOCKER_SNMP_SV2)_PATH = $(DOCKERS_PATH)/docker-snmp-sv2 ## TODO: remove LIBPY3_DEV if we can get pip3 directly $(DOCKER_SNMP_SV2)_DEPENDS += $(SNMP) $(SNMPD) $(PY3) $(LIBPY3_DEV) $(DOCKER_SNMP_SV2)_PYTHON_WHEELS += $(SONIC_PLATFORM_COMMON_PY3) $(SWSSSDK_PY3) $(ASYNCSNMP_PY3) -$(DOCKER_SNMP_SV2)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE) +$(DOCKER_SNMP_SV2)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_STRETCH) SONIC_DOCKER_IMAGES += $(DOCKER_SNMP_SV2) SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_SNMP_SV2) +SONIC_STRETCH_DOCKERS += $(DOCKER_SNMP_SV2) $(DOCKER_SNMP_SV2)_CONTAINER_NAME = snmp $(DOCKER_SNMP_SV2)_RUN_OPT += --net=host --privileged -t diff --git a/sonic-slave-stretch/Dockerfile b/sonic-slave-stretch/Dockerfile index 5ad7f070b24..77746e2e779 100644 --- a/sonic-slave-stretch/Dockerfile +++ b/sonic-slave-stretch/Dockerfile @@ -259,6 +259,13 @@ RUN pip install j2cli # For sonic utilities testing RUN pip install click-default-group click natsort tabulate netifaces==0.10.7 fastentrypoints +# For sonic snmpagent mock testing +RUN pip3 install mockredispy==2.9.3 +RUN pip3 install PyYAML>=5.1 + +# For sonic-platform-common testing +RUN pip3 install redis + # For supervisor build RUN pip install meld3 mock diff --git a/src/libteam/0010-teamd-lacp-update-port-state-according-to-partners-sy.patch b/src/libteam/0010-teamd-lacp-update-port-state-according-to-partners-sy.patch new file mode 100644 index 00000000000..33e6140bab6 --- /dev/null +++ b/src/libteam/0010-teamd-lacp-update-port-state-according-to-partners-sy.patch @@ -0,0 +1,71 @@ +commit 15b56de0f309c942f0f3a588f40944d078db97f9 +Author: Pavel Shirshov +Date: Tue Apr 16 12:18:12 2019 -0700 + + teamd: lacp: update port state according to partner's sync bit + + Backport of + https://github.com/jpirko/libteam/commit/54f137c10579bf97800c61ebb13e732aa1d843e6#diff-f17610bfcc2bafe661a9f3ba496ebf12 + + According to 6.4.15 of IEEE 802.1AX-2014, Figure 6-22, the state that the + port is selected moves MUX state from DETACHED to ATTACHED. + + But ATTACHED state does not mean that the port can send and receive user + frames. COLLECTING_DISTRIBUTION state is the state that the port can send + and receive user frames. To move MUX state from ATTACHED to + COLLECTING_DISTRIBUTION, the partner state should be sync as well as the + port selected. + + In function lacp_port_actor_update(), only INFO_STATE_SYNCHRONIZATION + should be set to the actor.state when the port is selected. + INFO_STATE_COLLECTING and INFO_STATE_DISTRIBUTING should be set to false + with ATTACHED mode and set to true when INFO_STATE_SYNCHRONIZATION of + partner.state is set. + + In function lacp_port_should_be_{enabled, disabled}(), we also need to + check the INFO_STATE_SYNCHRONIZATION bit of partner.state. + + Signed-off-by: Hangbin Liu + Signed-off-by: Jiri Pirko + +diff --git a/teamd/teamd_runner_lacp.c b/teamd/teamd_runner_lacp.c +index dae9086..5fa026a 100644 +--- a/teamd/teamd_runner_lacp.c ++++ b/teamd/teamd_runner_lacp.c +@@ -361,7 +361,8 @@ static int lacp_port_should_be_enabled(struct lacp_port *lacp_port) + struct lacp *lacp = lacp_port->lacp; + + if (lacp_port_selected(lacp_port) && +- lacp_port->agg_lead == lacp->selected_agg_lead) ++ lacp_port->agg_lead == lacp->selected_agg_lead && ++ lacp_port->partner.state & INFO_STATE_SYNCHRONIZATION) + return true; + return false; + } +@@ -371,7 +372,8 @@ static int lacp_port_should_be_disabled(struct lacp_port *lacp_port) + struct lacp *lacp = lacp_port->lacp; + + if (!lacp_port_selected(lacp_port) || +- lacp_port->agg_lead != lacp->selected_agg_lead) ++ lacp_port->agg_lead != lacp->selected_agg_lead || ++ !(lacp_port->partner.state & INFO_STATE_SYNCHRONIZATION)) + return true; + return false; + } +@@ -966,9 +968,14 @@ static void lacp_port_actor_update(struct lacp_port *lacp_port) + state |= INFO_STATE_LACP_ACTIVITY; + if (lacp_port->lacp->cfg.fast_rate) + state |= INFO_STATE_LACP_TIMEOUT; +- if (lacp_port_selected(lacp_port)) ++ if (lacp_port_selected(lacp_port) && ++ lacp_port_agg_selected(lacp_port)) { + state |= INFO_STATE_SYNCHRONIZATION; +- state |= INFO_STATE_COLLECTING | INFO_STATE_DISTRIBUTING; ++ state &= ~(INFO_STATE_COLLECTING | INFO_STATE_DISTRIBUTING); ++ if (lacp_port->partner.state & INFO_STATE_SYNCHRONIZATION) ++ state |= INFO_STATE_COLLECTING | ++ INFO_STATE_DISTRIBUTING; ++ } + if (lacp_port->state == PORT_STATE_EXPIRED) + state |= INFO_STATE_EXPIRED; + if (lacp_port->state == PORT_STATE_DEFAULTED) diff --git a/src/libteam/series b/src/libteam/series index a6c4893d021..415d6f79af9 100644 --- a/src/libteam/series +++ b/src/libteam/series @@ -7,3 +7,4 @@ 0007-Skip-setting-the-same-hwaddr-to-lag-port-to-avoid-di.patch 0008-teamd-register-change-handler-for-TEAM_IFINFO_CHANGE.patch 0009-teamd-prevent-private-change-handler-reentrance.patch +0010-teamd-lacp-update-port-state-according-to-partners-sy.patch \ No newline at end of file diff --git a/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch b/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch new file mode 100644 index 00000000000..b4a5e4a351d --- /dev/null +++ b/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch @@ -0,0 +1,184 @@ +From: Andreas Henriksson +Date: Sat, 23 Dec 2017 22:25:41 +0000 +Subject: [PATCH] Port OpenSSL 1.1.0 with support for 1.0.2 + +Initial support for OpenSSL 1.1.0 + +Changes by sebastian@breakpoint.cc: +- added OpenSSL 1.0.2 glue layer for backwarts compatibility +- dropped HAVE_EVP_MD_CTX_CREATE + DESTROY and added a check for OpenSSL + version instead (and currently 1.0.2 is the only one supported). + +BTS: https://bugs.debian.org/828449 +Signed-off-by: Sebastian Andrzej Siewior +--- + apps/snmpusm.c | 43 ++++++++++++++++++++++++++++++++++++------- + configure.d/config_os_libs2 | 6 ------ + snmplib/keytools.c | 13 ++++++------- + snmplib/scapi.c | 17 +++++------------ + 4 files changed, 47 insertions(+), 32 deletions(-) + +--- a/apps/snmpusm.c ++++ b/apps/snmpusm.c +@@ -183,6 +183,31 @@ setup_oid(oid * it, size_t * len, u_char + } + + #if defined(HAVE_OPENSSL_DH_H) && defined(HAVE_LIBCRYPTO) ++ ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) ++ ++static void DH_get0_pqg(const DH *dh, ++ const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) ++{ ++ if (p != NULL) ++ *p = dh->p; ++ if (q != NULL) ++ *q = dh->q; ++ if (g != NULL) ++ *g = dh->g; ++} ++ ++static void DH_get0_key(const DH *dh, const BIGNUM **pub_key, ++ const BIGNUM **priv_key) ++{ ++ if (pub_key != NULL) ++ *pub_key = dh->pub_key; ++ if (priv_key != NULL) ++ *priv_key = dh->priv_key; ++} ++ ++#endif ++ + int + get_USM_DH_key(netsnmp_variable_list *vars, netsnmp_variable_list *dhvar, + size_t outkey_len, +@@ -190,7 +215,7 @@ get_USM_DH_key(netsnmp_variable_list *va + oid *keyoid, size_t keyoid_len) { + u_char *dhkeychange; + DH *dh; +- BIGNUM *other_pub; ++ const BIGNUM *p, *g, *pub_key, *other_pub; + u_char *key; + size_t key_len; + +@@ -205,25 +230,29 @@ get_USM_DH_key(netsnmp_variable_list *va + dh = d2i_DHparams(NULL, &cp, dhvar->val_len); + } + +- if (!dh || !dh->g || !dh->p) { ++ if (dh) ++ DH_get0_pqg(dh, &p, NULL, &g); ++ ++ if (!dh || !g || !p) { + SNMP_FREE(dhkeychange); + return SNMPERR_GENERR; + } + +- DH_generate_key(dh); +- if (!dh->pub_key) { ++ if (!DH_generate_key(dh)) { + SNMP_FREE(dhkeychange); + return SNMPERR_GENERR; + } + +- if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) { ++ DH_get0_key(dh, &pub_key, NULL); ++ ++ if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) { + SNMP_FREE(dhkeychange); + fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n", +- (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key)); ++ (unsigned long)vars->val_len, BN_num_bytes(pub_key)); + return SNMPERR_GENERR; + } + +- BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len); ++ BN_bn2bin(pub_key, dhkeychange + vars->val_len); + + key_len = DH_size(dh); + if (!key_len) { +--- a/configure.d/config_os_libs2 ++++ b/configure.d/config_os_libs2 +@@ -291,12 +291,6 @@ if test "x$tryopenssl" != "xno" -a "x$tr + AC_CHECK_LIB(${CRYPTO}, AES_cfb128_encrypt, + AC_DEFINE(HAVE_AES_CFB128_ENCRYPT, 1, + [Define to 1 if you have the `AES_cfb128_encrypt' function.])) +- +- AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_create, +- AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [], +- [Define to 1 if you have the `EVP_MD_CTX_create' function.]) +- AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [], +- [Define to 1 if you have the `EVP_MD_CTX_destroy' function.])) + fi + if echo " $transport_result_list " | $GREP "DTLS" > /dev/null; then + AC_CHECK_LIB(ssl, DTLSv1_method, +--- a/snmplib/keytools.c ++++ b/snmplib/keytools.c +@@ -149,13 +149,13 @@ generate_Ku(const oid * hashtype, u_int + */ + #ifdef NETSNMP_USE_OPENSSL + +-#ifdef HAVE_EVP_MD_CTX_CREATE ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) + ctx = EVP_MD_CTX_create(); + #else +- ctx = malloc(sizeof(*ctx)); +- if (!EVP_MD_CTX_init(ctx)) +- return SNMPERR_GENERR; ++ ctx = EVP_MD_CTX_new(); + #endif ++ if (!ctx) ++ return SNMPERR_GENERR; + #ifndef NETSNMP_DISABLE_MD5 + if (ISTRANSFORM(hashtype, HMACMD5Auth)) { + if (!EVP_DigestInit(ctx, EVP_md5())) +@@ -259,11 +259,10 @@ generate_Ku(const oid * hashtype, u_int + memset(buf, 0, sizeof(buf)); + #ifdef NETSNMP_USE_OPENSSL + if (ctx) { +-#ifdef HAVE_EVP_MD_CTX_DESTROY ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) + EVP_MD_CTX_destroy(ctx); + #else +- EVP_MD_CTX_cleanup(ctx); +- free(ctx); ++ EVP_MD_CTX_free(ctx); + #endif + } + #endif +--- a/snmplib/scapi.c ++++ b/snmplib/scapi.c +@@ -486,15 +486,10 @@ sc_hash(const oid * hashtype, size_t has + } + + /** initialize the pointer */ +-#ifdef HAVE_EVP_MD_CTX_CREATE ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) + cptr = EVP_MD_CTX_create(); + #else +- cptr = malloc(sizeof(*cptr)); +-#if defined(OLD_DES) +- memset(cptr, 0, sizeof(*cptr)); +-#else +- EVP_MD_CTX_init(cptr); +-#endif ++ cptr = EVP_MD_CTX_new(); + #endif + if (!EVP_DigestInit(cptr, hashfn)) { + /* requested hash function is not available */ +@@ -507,13 +502,11 @@ sc_hash(const oid * hashtype, size_t has + /** do the final pass */ + EVP_DigestFinal(cptr, MAC, &tmp_len); + *MAC_len = tmp_len; +-#ifdef HAVE_EVP_MD_CTX_DESTROY ++ ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) + EVP_MD_CTX_destroy(cptr); + #else +-#if !defined(OLD_DES) +- EVP_MD_CTX_cleanup(cptr); +-#endif +- free(cptr); ++ EVP_MD_CTX_free(cptr); + #endif + return (rval); diff --git a/src/snmpd/patch-5.7.3+dfsg/series b/src/snmpd/patch-5.7.3+dfsg/series index f3b91e2382f..e3764c3aac5 100644 --- a/src/snmpd/patch-5.7.3+dfsg/series +++ b/src/snmpd/patch-5.7.3+dfsg/series @@ -2,3 +2,4 @@ 0002-at.c-properly-check-return-status-from-realloc.-Than.patch 0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch 0004-Disable-SNMPv1.patch +0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch diff --git a/src/sonic-platform-common b/src/sonic-platform-common index 4944a64c398..92b54b1984d 160000 --- a/src/sonic-platform-common +++ b/src/sonic-platform-common @@ -1 +1 @@ -Subproject commit 4944a64c39809685ce8daa864643b5a6c9847e43 +Subproject commit 92b54b1984db0b71196e4fe68cc5a09796fd185c diff --git a/src/sonic-snmpagent b/src/sonic-snmpagent index bd41744dc21..70a6c7dad4f 160000 --- a/src/sonic-snmpagent +++ b/src/sonic-snmpagent @@ -1 +1 @@ -Subproject commit bd41744dc213e122d4e60709fdd1368c6d832d01 +Subproject commit 70a6c7dad4fcfa750fb4d4efbf267842d19ca8ef