[pull] master from Azure:master

dockers/docker-snmp-sv2/Dockerfile.j2

@@ -1,4 +1,4 @@
-FROM docker-config-engine
+FROM docker-config-engine-stretch
 
 ARG docker_container_name
 RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%syslogtag%/;" /etc/rsyslog.conf
@@ -19,6 +19,10 @@ RUN apt-get install -y curl ca-certificates
 # Install gcc which is required for installing hiredis
 RUN apt-get install -y gcc make
 
+# Install libdpkg-perl which is required for python3.6-3.6.0 as one of its specs i.e. no-pie-compile.specs
+# The file referenced (`/usr/share/dpkg/no-pie-compile.specs`) is in the `libdpkg-perl` package on Debian
+RUN apt-get install -y libdpkg-perl
+
 {% if docker_snmp_sv2_debs.strip() -%}
 # Copy locally-built Debian package dependencies
 {%- for deb in docker_snmp_sv2_debs.split(' ') %}
@@ -56,7 +60,7 @@ RUN pip install /python-wheels/{{ whl }}
 RUN python3.6 -m sonic_ax_impl install
 
 # Clean up
-RUN apt-get -y purge libpython3.6-dev curl gcc make
+RUN apt-get -y purge libpython3.6-dev curl gcc make libdpkg-perl
 RUN apt-get clean -y && apt-get autoclean -y && apt-get autoremove -y --purge
 RUN find / | grep -E "__pycache__" | xargs rm -rf
 RUN rm -rf /debs /python-wheels ~/.cache

files/build_templates/snmp.service.j2

@@ -1,6 +1,7 @@
 [Unit]
 Description=SNMP container
-Requires=updategraph.service swss.service
+Requires=updategraph.service
+Requisite=swss.service
 After=updategraph.service swss.service
 Before=ntp-config.service
 

rules/docker-snmp-sv2.mk

@@ -5,9 +5,10 @@ $(DOCKER_SNMP_SV2)_PATH = $(DOCKERS_PATH)/docker-snmp-sv2
 ## TODO: remove LIBPY3_DEV if we can get pip3 directly
 $(DOCKER_SNMP_SV2)_DEPENDS += $(SNMP) $(SNMPD) $(PY3) $(LIBPY3_DEV)
 $(DOCKER_SNMP_SV2)_PYTHON_WHEELS += $(SONIC_PLATFORM_COMMON_PY3) $(SWSSSDK_PY3) $(ASYNCSNMP_PY3)
-$(DOCKER_SNMP_SV2)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE)
+$(DOCKER_SNMP_SV2)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_STRETCH)
 SONIC_DOCKER_IMAGES += $(DOCKER_SNMP_SV2)
 SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_SNMP_SV2)
+SONIC_STRETCH_DOCKERS += $(DOCKER_SNMP_SV2)
 
 $(DOCKER_SNMP_SV2)_CONTAINER_NAME = snmp
 $(DOCKER_SNMP_SV2)_RUN_OPT += --net=host --privileged -t

sonic-slave-stretch/Dockerfile

@@ -259,6 +259,13 @@ RUN pip install j2cli
 # For sonic utilities testing
 RUN pip install click-default-group click natsort tabulate netifaces==0.10.7 fastentrypoints
 
+# For sonic snmpagent mock testing
+RUN pip3 install mockredispy==2.9.3
+RUN pip3 install PyYAML>=5.1
+
+# For sonic-platform-common testing
+RUN pip3 install redis
+
 # For supervisor build
 RUN pip install meld3 mock
 

src/libteam/0010-teamd-lacp-update-port-state-according-to-partners-sy.patch

@@ -0,0 +1,71 @@
+commit 15b56de0f309c942f0f3a588f40944d078db97f9
+Author: Pavel Shirshov <pavelsh@microsoft.com>
+Date:   Tue Apr 16 12:18:12 2019 -0700
+
+    teamd: lacp: update port state according to partner's sync bit
+
+    Backport of
+    https://github.com/jpirko/libteam/commit/54f137c10579bf97800c61ebb13e732aa1d843e6#diff-f17610bfcc2bafe661a9f3ba496ebf12
+
+    According to 6.4.15 of IEEE 802.1AX-2014, Figure 6-22, the state that the
+    port is selected moves MUX state from DETACHED to ATTACHED.
+
+    But ATTACHED state does not mean that the port can send and receive user
+    frames. COLLECTING_DISTRIBUTION state is the state that the port can send
+    and receive user frames. To move MUX state from ATTACHED to
+    COLLECTING_DISTRIBUTION, the partner state should be sync as well as the
+    port selected.
+
+    In function lacp_port_actor_update(), only INFO_STATE_SYNCHRONIZATION
+    should be set to the actor.state when the port is selected.
+    INFO_STATE_COLLECTING and INFO_STATE_DISTRIBUTING should be set to false
+    with ATTACHED mode and set to true when INFO_STATE_SYNCHRONIZATION of
+    partner.state is set.
+
+    In function lacp_port_should_be_{enabled, disabled}(), we also need to
+    check the INFO_STATE_SYNCHRONIZATION bit of partner.state.
+
+    Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+    Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+
+diff --git a/teamd/teamd_runner_lacp.c b/teamd/teamd_runner_lacp.c
+index dae9086..5fa026a 100644
+--- a/teamd/teamd_runner_lacp.c
++++ b/teamd/teamd_runner_lacp.c
+@@ -361,7 +361,8 @@ static int lacp_port_should_be_enabled(struct lacp_port *lacp_port)
+ 	struct lacp *lacp = lacp_port->lacp;
+
+ 	if (lacp_port_selected(lacp_port) &&
+-	    lacp_port->agg_lead == lacp->selected_agg_lead)
++	    lacp_port->agg_lead == lacp->selected_agg_lead &&
++	    lacp_port->partner.state & INFO_STATE_SYNCHRONIZATION)
+ 		return true;
+ 	return false;
+ }
+@@ -371,7 +372,8 @@ static int lacp_port_should_be_disabled(struct lacp_port *lacp_port)
+ 	struct lacp *lacp = lacp_port->lacp;
+
+ 	if (!lacp_port_selected(lacp_port) ||
+-	    lacp_port->agg_lead != lacp->selected_agg_lead)
++	    lacp_port->agg_lead != lacp->selected_agg_lead ||
++	    !(lacp_port->partner.state & INFO_STATE_SYNCHRONIZATION))
+ 		return true;
+ 	return false;
+ }
+@@ -966,9 +968,14 @@ static void lacp_port_actor_update(struct lacp_port *lacp_port)
+ 		state |= INFO_STATE_LACP_ACTIVITY;
+ 	if (lacp_port->lacp->cfg.fast_rate)
+ 		state |= INFO_STATE_LACP_TIMEOUT;
+-	if (lacp_port_selected(lacp_port))
++	if (lacp_port_selected(lacp_port) &&
++	    lacp_port_agg_selected(lacp_port)) {
+ 		state |= INFO_STATE_SYNCHRONIZATION;
+-	state |= INFO_STATE_COLLECTING | INFO_STATE_DISTRIBUTING;
++		state &= ~(INFO_STATE_COLLECTING | INFO_STATE_DISTRIBUTING);
++		if (lacp_port->partner.state & INFO_STATE_SYNCHRONIZATION)
++			state |= INFO_STATE_COLLECTING |
++				 INFO_STATE_DISTRIBUTING;
++	}
+ 	if (lacp_port->state == PORT_STATE_EXPIRED)
+ 		state |= INFO_STATE_EXPIRED;
+ 	if (lacp_port->state == PORT_STATE_DEFAULTED)

src/libteam/series

@@ -7,3 +7,4 @@
 0007-Skip-setting-the-same-hwaddr-to-lag-port-to-avoid-di.patch
 0008-teamd-register-change-handler-for-TEAM_IFINFO_CHANGE.patch
 0009-teamd-prevent-private-change-handler-reentrance.patch
+0010-teamd-lacp-update-port-state-according-to-partners-sy.patch

src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch

@@ -0,0 +1,184 @@
+From: Andreas Henriksson <andreas@fatal.se>
+Date: Sat, 23 Dec 2017 22:25:41 +0000
+Subject: [PATCH] Port OpenSSL 1.1.0 with support for 1.0.2
+
+Initial support for OpenSSL 1.1.0
+
+Changes by sebastian@breakpoint.cc:
+- added OpenSSL 1.0.2 glue layer for backwarts compatibility
+- dropped HAVE_EVP_MD_CTX_CREATE + DESTROY and added a check for OpenSSL
+  version instead (and currently 1.0.2 is the only one supported).
+
+BTS: https://bugs.debian.org/828449
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+---
+ apps/snmpusm.c              |   43 ++++++++++++++++++++++++++++++++++++-------
+ configure.d/config_os_libs2 |    6 ------
+ snmplib/keytools.c          |   13 ++++++-------
+ snmplib/scapi.c             |   17 +++++------------
+ 4 files changed, 47 insertions(+), 32 deletions(-)
+
+--- a/apps/snmpusm.c
++++ b/apps/snmpusm.c
+@@ -183,6 +183,31 @@ setup_oid(oid * it, size_t * len, u_char
+ }
+
+ #if defined(HAVE_OPENSSL_DH_H) && defined(HAVE_LIBCRYPTO)
++
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
++
++static void DH_get0_pqg(const DH *dh,
++			const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
++{
++	if (p != NULL)
++		*p = dh->p;
++	if (q != NULL)
++		*q = dh->q;
++	if (g != NULL)
++		*g = dh->g;
++}
++
++static void DH_get0_key(const DH *dh, const BIGNUM **pub_key,
++			const BIGNUM **priv_key)
++{
++	if (pub_key != NULL)
++		*pub_key = dh->pub_key;
++	if (priv_key != NULL)
++		*priv_key = dh->priv_key;
++}
++
++#endif
++
+ int
+ get_USM_DH_key(netsnmp_variable_list *vars, netsnmp_variable_list *dhvar,
+                size_t outkey_len,
+@@ -190,7 +215,7 @@ get_USM_DH_key(netsnmp_variable_list *va
+                oid *keyoid, size_t keyoid_len) {
+     u_char *dhkeychange;
+     DH *dh;
+-    BIGNUM *other_pub;
++    const BIGNUM *p, *g, *pub_key, *other_pub;
+     u_char *key;
+     size_t key_len;
+
+@@ -205,25 +230,29 @@ get_USM_DH_key(netsnmp_variable_list *va
+         dh = d2i_DHparams(NULL, &cp, dhvar->val_len);
+     }
+
+-    if (!dh || !dh->g || !dh->p) {
++    if (dh)
++        DH_get0_pqg(dh, &p, NULL, &g);
++
++    if (!dh || !g || !p) {
+         SNMP_FREE(dhkeychange);
+         return SNMPERR_GENERR;
+     }
+
+-    DH_generate_key(dh);
+-    if (!dh->pub_key) {
++    if (!DH_generate_key(dh)) {
+         SNMP_FREE(dhkeychange);
+         return SNMPERR_GENERR;
+     }
+
+-    if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) {
++    DH_get0_key(dh, &pub_key, NULL);
++
++    if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) {
+         SNMP_FREE(dhkeychange);
+         fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n",
+-                (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key));
++                (unsigned long)vars->val_len, BN_num_bytes(pub_key));
+         return SNMPERR_GENERR;
+     }
+
+-    BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len);
++    BN_bn2bin(pub_key, dhkeychange + vars->val_len);
+
+     key_len = DH_size(dh);
+     if (!key_len) {
+--- a/configure.d/config_os_libs2
++++ b/configure.d/config_os_libs2
+@@ -291,12 +291,6 @@ if test "x$tryopenssl" != "xno" -a "x$tr
+             AC_CHECK_LIB(${CRYPTO}, AES_cfb128_encrypt, 
+                 AC_DEFINE(HAVE_AES_CFB128_ENCRYPT, 1,
+                     [Define to 1 if you have the `AES_cfb128_encrypt' function.]))
+-
+-            AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_create,
+-                AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [],
+-                    [Define to 1 if you have the `EVP_MD_CTX_create' function.])
+-                AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [],
+-                    [Define to 1 if you have the `EVP_MD_CTX_destroy' function.]))
+         fi
+         if echo " $transport_result_list " | $GREP "DTLS" > /dev/null; then
+ 	    AC_CHECK_LIB(ssl, DTLSv1_method,
+--- a/snmplib/keytools.c
++++ b/snmplib/keytools.c
+@@ -149,13 +149,13 @@ generate_Ku(const oid * hashtype, u_int
+      */
+ #ifdef NETSNMP_USE_OPENSSL
+
+-#ifdef HAVE_EVP_MD_CTX_CREATE
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+     ctx = EVP_MD_CTX_create();
+ #else
+-    ctx = malloc(sizeof(*ctx));
+-    if (!EVP_MD_CTX_init(ctx))
+-        return SNMPERR_GENERR;
++    ctx = EVP_MD_CTX_new();
+ #endif
++    if (!ctx)
++        return SNMPERR_GENERR;
+ #ifndef NETSNMP_DISABLE_MD5
+     if (ISTRANSFORM(hashtype, HMACMD5Auth)) {
+         if (!EVP_DigestInit(ctx, EVP_md5()))
+@@ -259,11 +259,10 @@ generate_Ku(const oid * hashtype, u_int
+     memset(buf, 0, sizeof(buf));
+ #ifdef NETSNMP_USE_OPENSSL
+     if (ctx) {
+-#ifdef HAVE_EVP_MD_CTX_DESTROY
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+         EVP_MD_CTX_destroy(ctx);
+ #else
+-        EVP_MD_CTX_cleanup(ctx);
+-        free(ctx);
++        EVP_MD_CTX_free(ctx);
+ #endif
+     }
+ #endif
+--- a/snmplib/scapi.c
++++ b/snmplib/scapi.c
+@@ -486,15 +486,10 @@ sc_hash(const oid * hashtype, size_t has
+     }
+
+ /** initialize the pointer */
+-#ifdef HAVE_EVP_MD_CTX_CREATE
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+     cptr = EVP_MD_CTX_create();
+ #else
+-    cptr = malloc(sizeof(*cptr));
+-#if defined(OLD_DES)
+-    memset(cptr, 0, sizeof(*cptr));
+-#else
+-    EVP_MD_CTX_init(cptr);
+-#endif
++    cptr = EVP_MD_CTX_new();
+ #endif
+     if (!EVP_DigestInit(cptr, hashfn)) {
+         /* requested hash function is not available */
+@@ -507,13 +502,11 @@ sc_hash(const oid * hashtype, size_t has
+ /** do the final pass */
+     EVP_DigestFinal(cptr, MAC, &tmp_len);
+     *MAC_len = tmp_len;
+-#ifdef HAVE_EVP_MD_CTX_DESTROY
++
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+     EVP_MD_CTX_destroy(cptr);
+ #else
+-#if !defined(OLD_DES)
+-    EVP_MD_CTX_cleanup(cptr);
+-#endif
+-    free(cptr);
++    EVP_MD_CTX_free(cptr);
+ #endif
+     return (rval);

src/snmpd/patch-5.7.3+dfsg/series

@@ -2,3 +2,4 @@
 0002-at.c-properly-check-return-status-from-realloc.-Than.patch
 0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
 0004-Disable-SNMPv1.patch
+0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch