From e4a26a6f4f6949c1ddceea147d211a9d3ba477ef Mon Sep 17 00:00:00 2001 From: "david.zagury" Date: Wed, 2 Jul 2025 18:19:59 +0300 Subject: [PATCH 1/9] Test with most permissions remove --- rules/docker-platform-monitor.mk | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/docker-platform-monitor.mk b/rules/docker-platform-monitor.mk index 0c25795ca4a..5ec30ad1f5d 100644 --- a/rules/docker-platform-monitor.mk +++ b/rules/docker-platform-monitor.mk @@ -50,7 +50,8 @@ SONIC_DOCKER_DBG_IMAGES += $(DOCKER_PLATFORM_MONITOR_DBG) SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_PLATFORM_MONITOR_DBG) $(DOCKER_PLATFORM_MONITOR)_CONTAINER_NAME = pmon -$(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --privileged -t +# $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --privileged -t +$(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --cap-add=SYS_RAWIO --cap-add=SYS_ADMIN -t $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /etc/localtime:/etc/localtime:ro $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /host/reboot-cause:/host/reboot-cause:rw From 12239a20d3d41c518fc2e20ae2a86bf99ed800b9 Mon Sep 17 00:00:00 2001 From: "david.zagury" Date: Sun, 6 Jul 2025 18:48:53 +0300 Subject: [PATCH 2/9] Remove apparmor and systempaths restrictions --- rules/docker-platform-monitor.mk | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/docker-platform-monitor.mk b/rules/docker-platform-monitor.mk index 5ec30ad1f5d..18e7a29b759 100644 --- a/rules/docker-platform-monitor.mk +++ b/rules/docker-platform-monitor.mk @@ -51,13 +51,16 @@ SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_PLATFORM_MONITOR_DBG) $(DOCKER_PLATFORM_MONITOR)_CONTAINER_NAME = pmon # $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --privileged -t -$(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --cap-add=SYS_RAWIO --cap-add=SYS_ADMIN -t +$(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --cap-add=SYS_RAWIO --cap-add=SYS_ADMIN --cap-add=SYS_MODULE -t --security-opt apparmor=unconfined --security-opt="systempaths=unconfined" $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /etc/localtime:/etc/localtime:ro $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /host/reboot-cause:/host/reboot-cause:rw $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /host/pmon/stormond:/usr/share/stormond:rw $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /var/run/platform_cache:/var/run/platform_cache:ro $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /usr/share/sonic/device/pddf:/usr/share/sonic/device/pddf:ro +# Add LED device mounts for hardware access +$(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /sys/devices/platform/mlxplat:/sys/devices/platform/mlxplat:rw +$(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /sys/class/leds:/sys/class/leds:rw # Mount Arista python library on Aboot images to be used by plugins $(DOCKER_PLATFORM_MONITOR)_aboot_RUN_OPT += -v /usr/lib/libsfp-eeprom.so:/usr/lib/libsfp-eeprom.so:ro From 4afc1d5630710bb4a556e44c4eebfeee94e60167 Mon Sep 17 00:00:00 2001 From: "david.zagury" Date: Mon, 7 Jul 2025 15:03:06 +0300 Subject: [PATCH 3/9] Fix missing dev/sda and sys/module --- rules/docker-platform-monitor.mk | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/docker-platform-monitor.mk b/rules/docker-platform-monitor.mk index 18e7a29b759..7eccea21251 100644 --- a/rules/docker-platform-monitor.mk +++ b/rules/docker-platform-monitor.mk @@ -52,6 +52,8 @@ SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_PLATFORM_MONITOR_DBG) $(DOCKER_PLATFORM_MONITOR)_CONTAINER_NAME = pmon # $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --privileged -t $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --cap-add=SYS_RAWIO --cap-add=SYS_ADMIN --cap-add=SYS_MODULE -t --security-opt apparmor=unconfined --security-opt="systempaths=unconfined" +$(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --device=/dev/sda:/dev/sda +$(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /sys/module/sx_core:/sys/module/sx_core:rw $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /etc/localtime:/etc/localtime:ro $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /host/reboot-cause:/host/reboot-cause:rw From 36add0d99caa9b8adbed4ad683f19019c3f27ad4 Mon Sep 17 00:00:00 2001 From: "david.zagury" Date: Wed, 9 Jul 2025 18:10:56 +0300 Subject: [PATCH 4/9] Add watchdogs --- files/build_templates/docker_image_ctl.j2 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2 index 4ca34262409..a0075bb3e83 100644 --- a/files/build_templates/docker_image_ctl.j2 +++ b/files/build_templates/docker_image_ctl.j2 @@ -690,8 +690,7 @@ start() { $SMARTSWITCH_MNT \ -v /dev/shm:/dev/shm:rw \ -e SX_API_SOCKET_FILE=/var/run/sx_sdk/sx_api.sock \ - -v /dev/shm:/dev/shm:rw \ -{%- else %} + -v /dev/shm:/dev/shm:rw \{%- else %} {%- if mount_default_tmpfs|default("n") == "y" %} --tmpfs /tmp \ {%- endif %} @@ -705,6 +704,8 @@ start() { {%- endif %} {%- if docker_container_name == "pmon" %} -v /usr/share/sonic/firmware:/usr/share/sonic/firmware:rw \ + $(if [ -e "/dev/watchdog" ]; then echo "--device=/dev/watchdog:/dev/watchdog"; fi) \ + $(for watchdog in /sys/class/watchdog/*; do if [ -d "$watchdog" ]; then device_name=$(basename "$watchdog"); dev_file="/dev/$device_name"; if [ -e "$dev_file" ]; then echo "--device=$dev_file:$dev_file"; fi; fi; done) \ {%- endif %} {%- if docker_container_name == "swss" %} -e ASIC_VENDOR={{ sonic_asic_platform }} \ From b2983ed4daa12d967ede8c35cd1bb337de01c3d0 Mon Sep 17 00:00:00 2001 From: "david.zagury" Date: Sun, 13 Jul 2025 17:12:55 +0300 Subject: [PATCH 5/9] Fix docker_image_ctl --- files/build_templates/docker_image_ctl.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2 index a0075bb3e83..024ab774791 100644 --- a/files/build_templates/docker_image_ctl.j2 +++ b/files/build_templates/docker_image_ctl.j2 @@ -690,7 +690,8 @@ start() { $SMARTSWITCH_MNT \ -v /dev/shm:/dev/shm:rw \ -e SX_API_SOCKET_FILE=/var/run/sx_sdk/sx_api.sock \ - -v /dev/shm:/dev/shm:rw \{%- else %} + -v /dev/shm:/dev/shm:rw \ +{%- else %} {%- if mount_default_tmpfs|default("n") == "y" %} --tmpfs /tmp \ {%- endif %} From ce85c25912c34c08a3a40aafb6641b8539590739 Mon Sep 17 00:00:00 2001 From: "david.zagury" Date: Sun, 13 Jul 2025 17:13:26 +0300 Subject: [PATCH 6/9] No need for SYS_MODULE --- rules/docker-platform-monitor.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/docker-platform-monitor.mk b/rules/docker-platform-monitor.mk index 7eccea21251..6eefcf906ab 100644 --- a/rules/docker-platform-monitor.mk +++ b/rules/docker-platform-monitor.mk @@ -51,7 +51,7 @@ SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_PLATFORM_MONITOR_DBG) $(DOCKER_PLATFORM_MONITOR)_CONTAINER_NAME = pmon # $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --privileged -t -$(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --cap-add=SYS_RAWIO --cap-add=SYS_ADMIN --cap-add=SYS_MODULE -t --security-opt apparmor=unconfined --security-opt="systempaths=unconfined" +$(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --cap-add=SYS_RAWIO --cap-add=SYS_ADMIN -t --security-opt apparmor=unconfined --security-opt="systempaths=unconfined" $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --device=/dev/sda:/dev/sda $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /sys/module/sx_core:/sys/module/sx_core:rw $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro From 8d4c248cd5b2f692751cad676d9fba7d39a9b84a Mon Sep 17 00:00:00 2001 From: "david.zagury" Date: Sun, 13 Jul 2025 17:46:38 +0300 Subject: [PATCH 7/9] Move mlx paths to only be on mlx --- files/build_templates/docker_image_ctl.j2 | 2 ++ rules/docker-platform-monitor.mk | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2 index 024ab774791..7dbb7db1b86 100644 --- a/files/build_templates/docker_image_ctl.j2 +++ b/files/build_templates/docker_image_ctl.j2 @@ -684,6 +684,8 @@ start() { -v /var/log/sai_failure_dump:/var/log/sai_failure_dump:rw \ -e SX_API_SOCKET_FILE=/var/run/sx_sdk/sx_api.sock \ {%- elif docker_container_name == "pmon" %} + -v /sys/devices/platform/mlxplat:/sys/devices/platform/mlxplat:rw \ + -v /sys/module/sx_core:/sys/module/sx_core:rw \ -v /var/run/hw-management:/var/run/hw-management:rw \ -v mlnx_sdk_socket:/var/run/sx_sdk \ -v /tmp/nv-syncd-shared/:/tmp \ diff --git a/rules/docker-platform-monitor.mk b/rules/docker-platform-monitor.mk index 6eefcf906ab..adbf0c7e0bf 100644 --- a/rules/docker-platform-monitor.mk +++ b/rules/docker-platform-monitor.mk @@ -53,7 +53,6 @@ $(DOCKER_PLATFORM_MONITOR)_CONTAINER_NAME = pmon # $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --privileged -t $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --cap-add=SYS_RAWIO --cap-add=SYS_ADMIN -t --security-opt apparmor=unconfined --security-opt="systempaths=unconfined" $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --device=/dev/sda:/dev/sda -$(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /sys/module/sx_core:/sys/module/sx_core:rw $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /etc/localtime:/etc/localtime:ro $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /host/reboot-cause:/host/reboot-cause:rw @@ -61,7 +60,6 @@ $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /host/pmon/stormond:/usr/share/stormond $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /var/run/platform_cache:/var/run/platform_cache:ro $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /usr/share/sonic/device/pddf:/usr/share/sonic/device/pddf:ro # Add LED device mounts for hardware access -$(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /sys/devices/platform/mlxplat:/sys/devices/platform/mlxplat:rw $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /sys/class/leds:/sys/class/leds:rw # Mount Arista python library on Aboot images to be used by plugins From 4a69672a7bcb7c81e6300e668f7d4c4f2ae90173 Mon Sep 17 00:00:00 2001 From: "david.zagury" Date: Sun, 13 Jul 2025 17:47:16 +0300 Subject: [PATCH 8/9] Remove comment --- rules/docker-platform-monitor.mk | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/docker-platform-monitor.mk b/rules/docker-platform-monitor.mk index adbf0c7e0bf..5fe6b232503 100644 --- a/rules/docker-platform-monitor.mk +++ b/rules/docker-platform-monitor.mk @@ -50,7 +50,6 @@ SONIC_DOCKER_DBG_IMAGES += $(DOCKER_PLATFORM_MONITOR_DBG) SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_PLATFORM_MONITOR_DBG) $(DOCKER_PLATFORM_MONITOR)_CONTAINER_NAME = pmon -# $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --privileged -t $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --cap-add=SYS_RAWIO --cap-add=SYS_ADMIN -t --security-opt apparmor=unconfined --security-opt="systempaths=unconfined" $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --device=/dev/sda:/dev/sda $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro From acd72c6eed27c67ca8f9ac7a57daeeb1dd7b0c8e Mon Sep 17 00:00:00 2001 From: "david.zagury" Date: Thu, 31 Jul 2025 10:43:23 +0300 Subject: [PATCH 9/9] Remove sda --- rules/docker-platform-monitor.mk | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/docker-platform-monitor.mk b/rules/docker-platform-monitor.mk index 5fe6b232503..97619e2fa8b 100644 --- a/rules/docker-platform-monitor.mk +++ b/rules/docker-platform-monitor.mk @@ -51,7 +51,6 @@ SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_PLATFORM_MONITOR_DBG) $(DOCKER_PLATFORM_MONITOR)_CONTAINER_NAME = pmon $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --cap-add=SYS_RAWIO --cap-add=SYS_ADMIN -t --security-opt apparmor=unconfined --security-opt="systempaths=unconfined" -$(DOCKER_PLATFORM_MONITOR)_RUN_OPT += --device=/dev/sda:/dev/sda $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /etc/localtime:/etc/localtime:ro $(DOCKER_PLATFORM_MONITOR)_RUN_OPT += -v /host/reboot-cause:/host/reboot-cause:rw