Add TELEMETRY_WATCHDOG_CERT_PROBE_ENABLED function into watchdog#24743
Closed
FengPan-Frank wants to merge 462 commits intosonic-net:masterfrom
Closed
Add TELEMETRY_WATCHDOG_CERT_PROBE_ENABLED function into watchdog#24743FengPan-Frank wants to merge 462 commits intosonic-net:masterfrom
FengPan-Frank wants to merge 462 commits intosonic-net:masterfrom
Conversation
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request adds certificate authentication validation capabilities to the telemetry watchdog health check system. The feature introduces a new probe that tests both positive and negative certificate authentication scenarios by making gNMI calls with different certificate configurations to verify that authentication is working correctly.
Key changes:
- Added a new
TELEMETRY_WATCHDOG_CERT_PROBE_ENABLEDenvironment variable to control certificate probe functionality (enabled by default) - Implemented dual certificate probes: one with "bad" credentials expected to fail, and one with "good" credentials expected to succeed
- Added certificate-related constants for CA certificates, server certificates, keys, and target names for both test scenarios
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+49
to
+60
| // BAD (expected fail) probe | ||
| const DEFAULT_BAD_CA: &str = "/etc/sonic/telemetry/dsmsroot.cer"; | ||
| const DEFAULT_BAD_CERT: &str = "/etc/sonic/telemetry/streamingtelemetryserver.cer"; | ||
| const DEFAULT_BAD_KEY: &str = "/etc/sonic/telemetry/streamingtelemetryserver.key"; | ||
| const DEFAULT_BAD_TNAME: &str = "server.ndastreaming.ap.gbl"; | ||
|
|
||
| // GOOD (expected success) probe | ||
| const DEFAULT_GOOD_CA: &str = "/etc/sonic/credentials/AME_ROOT_CERTIFICATE.pem"; | ||
| const DEFAULT_GOOD_CERT: &str = "/etc/sonic/credentials/sonick8sclient2.crt"; | ||
| const DEFAULT_GOOD_KEY: &str = "/etc/sonic/credentials/sonick8sclient2.key"; | ||
| const DEFAULT_GOOD_TNAME: &str = "SonicK8sDashboard.NETWORK-test-bl6p.bl6p.ap.gbl"; | ||
|
|
There was a problem hiding this comment.
The hardcoded certificate paths and target names (DEFAULT_BAD_CA, DEFAULT_BAD_CERT, etc.) appear to be environment-specific and may not exist on all systems. Consider making these configurable via environment variables (similar to how other probes can be configured) or Redis configuration to make the probe more flexible across different deployments.
Suggested change
| // BAD (expected fail) probe | |
| const DEFAULT_BAD_CA: &str = "/etc/sonic/telemetry/dsmsroot.cer"; | |
| const DEFAULT_BAD_CERT: &str = "/etc/sonic/telemetry/streamingtelemetryserver.cer"; | |
| const DEFAULT_BAD_KEY: &str = "/etc/sonic/telemetry/streamingtelemetryserver.key"; | |
| const DEFAULT_BAD_TNAME: &str = "server.ndastreaming.ap.gbl"; | |
| // GOOD (expected success) probe | |
| const DEFAULT_GOOD_CA: &str = "/etc/sonic/credentials/AME_ROOT_CERTIFICATE.pem"; | |
| const DEFAULT_GOOD_CERT: &str = "/etc/sonic/credentials/sonick8sclient2.crt"; | |
| const DEFAULT_GOOD_KEY: &str = "/etc/sonic/credentials/sonick8sclient2.key"; | |
| const DEFAULT_GOOD_TNAME: &str = "SonicK8sDashboard.NETWORK-test-bl6p.bl6p.ap.gbl"; | |
| // BAD (expected fail) probe environment variable names | |
| const BAD_CA_ENV_VAR: &str = "TELEMETRY_WATCHDOG_BAD_CA"; | |
| const BAD_CERT_ENV_VAR: &str = "TELEMETRY_WATCHDOG_BAD_CERT"; | |
| const BAD_KEY_ENV_VAR: &str = "TELEMETRY_WATCHDOG_BAD_KEY"; | |
| const BAD_TNAME_ENV_VAR: &str = "TELEMETRY_WATCHDOG_BAD_TNAME"; | |
| // GOOD (expected success) probe environment variable names | |
| const GOOD_CA_ENV_VAR: &str = "TELEMETRY_WATCHDOG_GOOD_CA"; | |
| const GOOD_CERT_ENV_VAR: &str = "TELEMETRY_WATCHDOG_GOOD_CERT"; | |
| const GOOD_KEY_ENV_VAR: &str = "TELEMETRY_WATCHDOG_GOOD_KEY"; | |
| const GOOD_TNAME_ENV_VAR: &str = "TELEMETRY_WATCHDOG_GOOD_TNAME"; | |
| // BAD (expected fail) probe defaults | |
| const DEFAULT_BAD_CA: &str = "/etc/sonic/telemetry/dsmsroot.cer"; | |
| const DEFAULT_BAD_CERT: &str = "/etc/sonic/telemetry/streamingtelemetryserver.cer"; | |
| const DEFAULT_BAD_KEY: &str = "/etc/sonic/telemetry/streamingtelemetryserver.key"; | |
| const DEFAULT_BAD_TNAME: &str = "server.ndastreaming.ap.gbl"; | |
| // GOOD (expected success) probe defaults | |
| const DEFAULT_GOOD_CA: &str = "/etc/sonic/credentials/AME_ROOT_CERTIFICATE.pem"; | |
| const DEFAULT_GOOD_CERT: &str = "/etc/sonic/credentials/sonick8sclient2.crt"; | |
| const DEFAULT_GOOD_KEY: &str = "/etc/sonic/credentials/sonick8sclient2.key"; | |
| const DEFAULT_GOOD_TNAME: &str = "SonicK8sDashboard.NETWORK-test-bl6p.bl6p.ap.gbl"; | |
| // Helper functions to get BAD/GOOD probe values from env or default | |
| fn get_bad_ca() -> String { | |
| std::env::var(BAD_CA_ENV_VAR).unwrap_or_else(|_| DEFAULT_BAD_CA.to_string()) | |
| } | |
| fn get_bad_cert() -> String { | |
| std::env::var(BAD_CERT_ENV_VAR).unwrap_or_else(|_| DEFAULT_BAD_CERT.to_string()) | |
| } | |
| fn get_bad_key() -> String { | |
| std::env::var(BAD_KEY_ENV_VAR).unwrap_or_else(|_| DEFAULT_BAD_KEY.to_string()) | |
| } | |
| fn get_bad_tname() -> String { | |
| std::env::var(BAD_TNAME_ENV_VAR).unwrap_or_else(|_| DEFAULT_BAD_TNAME.to_string()) | |
| } | |
| fn get_good_ca() -> String { | |
| std::env::var(GOOD_CA_ENV_VAR).unwrap_or_else(|_| DEFAULT_GOOD_CA.to_string()) | |
| } | |
| fn get_good_cert() -> String { | |
| std::env::var(GOOD_CERT_ENV_VAR).unwrap_or_else(|_| DEFAULT_GOOD_CERT.to_string()) | |
| } | |
| fn get_good_key() -> String { | |
| std::env::var(GOOD_KEY_ENV_VAR).unwrap_or_else(|_| DEFAULT_GOOD_KEY.to_string()) | |
| } | |
| fn get_good_tname() -> String { | |
| std::env::var(GOOD_TNAME_ENV_VAR).unwrap_or_else(|_| DEFAULT_GOOD_TNAME.to_string()) | |
| } |
Comment on lines
+320
to
+325
| fn is_cert_probe_enabled() -> bool { | ||
| match env::var(CERT_PROBE_ENV_VAR) { | ||
| Ok(v) if v.eq_ignore_ascii_case("false") => false, | ||
| _ => true, // default enabled | ||
| } | ||
| } |
There was a problem hiding this comment.
The cert probe is enabled by default and relies on hardcoded file paths (e.g., /etc/sonic/credentials/AME_ROOT_CERTIFICATE.pem). If these files don't exist in all deployment environments, the probe will fail on every health check, which could cause monitoring alerts. Consider either: 1) making the probe default to disabled (like the serial number probe), or 2) checking if the certificate files exist before running the probe, or 3) documenting the required file locations clearly.
| @@ -382,6 +403,41 @@ fn main() { | |||
| let timeout = read_timeout(); | |||
| let target_name = get_target_name(); | |||
|
|
|||
| // Certificate probes on reboot-cause/history API | |||
There was a problem hiding this comment.
[nitpick] The comment describes "Certificate probes on reboot-cause/history API" but doesn't explain the purpose or rationale. Consider adding context about why this specific endpoint is used for certificate testing (e.g., "Tests certificate validation using the reboot-cause/history endpoint as a representative gNMI query").
Suggested change
| // Certificate probes on reboot-cause/history API | |
| // Certificate probes using the reboot-cause/history API. | |
| // This endpoint is used as a representative gNMI query to test certificate validation. |
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+47
to
+59
| const CERT_PROBE_ENV_VAR: &str = "TELEMETRY_WATCHDOG_CERT_PROBE_ENABLED"; | ||
|
|
||
| // BAD (expected fail) probe | ||
| const DEFAULT_BAD_CA: &str = "/etc/sonic/telemetry/dsmsroot.cer"; | ||
| const DEFAULT_BAD_CERT: &str = "/etc/sonic/telemetry/streamingtelemetryserver.cer"; | ||
| const DEFAULT_BAD_KEY: &str = "/etc/sonic/telemetry/streamingtelemetryserver.key"; | ||
| const DEFAULT_BAD_TNAME: &str = "server.ndastreaming.ap.gbl"; | ||
|
|
||
| // GOOD (expected success) probe | ||
| const DEFAULT_GOOD_CA: &str = "/etc/sonic/credentials/AME_ROOT_CERTIFICATE.pem"; | ||
| const DEFAULT_GOOD_CERT: &str = "/etc/sonic/credentials/sonick8sclient2.crt"; | ||
| const DEFAULT_GOOD_KEY: &str = "/etc/sonic/credentials/sonick8sclient2.key"; | ||
| const DEFAULT_GOOD_TNAME: &str = "SonicK8sDashboard.NETWORK-test-bl6p.bl6p.ap.gbl"; |
There was a problem hiding this comment.
Missing documentation for the new certificate probe feature. Consider adding a comment block before the constants (lines 47-59) explaining the purpose of these certificate probes, what "BAD" and "GOOD" mean in this context, and when/why this feature should be enabled or disabled. This would help future maintainers understand the testing strategy being implemented.
Comment on lines
+406
to
+408
| // Certificate probes on reboot-cause/history API | ||
| // 1) BAD cert: expect failure | ||
| // 2) GOOD cert: expect success |
There was a problem hiding this comment.
[nitpick] The comment states "Certificate probes on reboot-cause/history API" but doesn't explain the testing strategy. The comment should clarify that this is testing certificate validation by: 1) Attempting to connect with known invalid certificates (expecting failure) and 2) Attempting to connect with valid certificates (expecting success). This helps readers understand that this is a negative/positive test pair for certificate authentication.
Suggested change
| // Certificate probes on reboot-cause/history API | |
| // 1) BAD cert: expect failure | |
| // 2) GOOD cert: expect success | |
| // Certificate validation probes on reboot-cause/history API. | |
| // This tests certificate authentication with a negative/positive test pair: | |
| // 1) Attempt to connect with a known invalid (BAD) certificate and expect failure (negative test). | |
| // 2) Attempt to connect with a known valid (GOOD) certificate and expect success (positive test). |
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+410
to
+418
| let xpath_rc = "reboot-cause/history"; | ||
|
|
||
| let bad_sec = TelemetrySecurityConfig { | ||
| use_client_auth: true, | ||
| ca_crt: DEFAULT_BAD_CA.to_string(), | ||
| server_crt: DEFAULT_BAD_CERT.to_string(), | ||
| server_key: DEFAULT_BAD_KEY.to_string(), | ||
| }; | ||
| let mut res_bad = run_gnmi_for_xpath(&xpath_rc, port, &bad_sec, DEFAULT_BAD_TNAME, timeout, "SHOW"); |
There was a problem hiding this comment.
The BAD cert probe inverts the expected outcome but doesn't invert the xpath field in the CommandResult. The xpath field will show "reboot-cause/history" for both BAD and GOOD tests, making it difficult to distinguish them in the JSON output. Consider using a more descriptive xpath value like "reboot-cause/history (BAD cert)" and "reboot-cause/history (GOOD cert)" to make the test results clearer.
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+49
to
+53
| // BAD (expected fail) probe | ||
| const DEFAULT_BAD_CA: &str = "/etc/sonic/telemetry/dsmsroot.cer"; | ||
| const DEFAULT_BAD_CERT: &str = "/etc/sonic/telemetry/streamingtelemetryserver.cer"; | ||
| const DEFAULT_BAD_KEY: &str = "/etc/sonic/telemetry/streamingtelemetryserver.key"; | ||
| const DEFAULT_BAD_TNAME: &str = "server.ndastreaming.ap.gbl"; |
There was a problem hiding this comment.
The 'BAD' certificate constants are identical to the default certificate constants (lines 41-43), which undermines the purpose of testing certificate validation. If these paths point to the same valid certificates as the defaults, the 'BAD' probe won't actually test failure scenarios. Consider using truly invalid certificate paths, or add a comment explaining why these are expected to fail.
Suggested change
| // BAD (expected fail) probe | |
| const DEFAULT_BAD_CA: &str = "/etc/sonic/telemetry/dsmsroot.cer"; | |
| const DEFAULT_BAD_CERT: &str = "/etc/sonic/telemetry/streamingtelemetryserver.cer"; | |
| const DEFAULT_BAD_KEY: &str = "/etc/sonic/telemetry/streamingtelemetryserver.key"; | |
| const DEFAULT_BAD_TNAME: &str = "server.ndastreaming.ap.gbl"; | |
| // BAD (expected fail) probe: use clearly invalid/non-existent certificate paths and target name | |
| const DEFAULT_BAD_CA: &str = "/etc/sonic/telemetry/invalid_bad_probe_ca.pem"; | |
| const DEFAULT_BAD_CERT: &str = "/etc/sonic/telemetry/invalid_bad_probe_cert.pem"; | |
| const DEFAULT_BAD_KEY: &str = "/etc/sonic/telemetry/invalid_bad_probe_key.pem"; | |
| const DEFAULT_BAD_TNAME: &str = "invalid.bad-probe.local"; |
Comment on lines
+418
to
+427
| let mut res_bad = run_gnmi_for_xpath(&xpath_rc, port, &bad_sec, DEFAULT_BAD_TNAME, timeout, "SHOW"); | ||
| if res_bad.success { | ||
| res_bad.success = false; | ||
| let msg = "Expected FAILURE with BAD cert but command SUCCEEDED".to_string(); | ||
| res_bad.error = Some(match res_bad.error.take() { | ||
| Some(existing) => format!("{existing}; {msg}"), | ||
| None => msg, | ||
| }); | ||
| http_status = "HTTP/1.1 500 Internal Server Error"; | ||
| } |
There was a problem hiding this comment.
The logic of inverting success/failure for the 'BAD' cert probe adds complexity. The probe mutates res_bad.success after the fact, which could be confusing for debugging. Consider adding a comment explaining that this is a negative test case, or create a dedicated field in CommandResult to distinguish between positive and negative test cases.
…t#23432) (sonic-net#25491) The ctrmgr_iptables_test.py test_table test fails intermittently on ARM64 build machines because it relies on real DNS resolution via socket.gethostbyname(). Root cause: test case 4 uses hostname 'www.google.comx' expecting DNS to fail (return empty string). On build machines with DNS hijacking or NXDOMAIN redirection, this resolves to a real IP (e.g., the proxy IP 45.54.28.15), causing the assertion 'assert ret == ""' to fail with the unexpected destination '45.54.28.15:3128'. Similarly, test case 3 uses 'www.google.com' relying on live DNS which can fail in air-gapped build environments. Fix: - Mock socket.gethostbyname with deterministic results: known test hostnames return fixed IPs, unknown hostnames raise gaierror - Replace 'www.google.comx' with 'host.invalid' (RFC 6761 reserved TLD, guaranteed to never resolve) for invalid-hostname test cases - Add explicit 'ret' assertion to test case 3 (was previously unchecked) with the deterministic mock IP Signed-off-by: Rustiqly <[email protected]> Co-authored-by: Rustiqly <[email protected]> Signed-off-by: Feng Pan <[email protected]>
) Signed-off-by: Roy Wen <[email protected]> Co-authored-by: saravanan sellappa <[email protected]> Signed-off-by: Feng Pan <[email protected]>
Root cause: On UpstreamLC/UpperSpineRouter devices, the TO_BGP_PEER route-map sequence 60 was missing "on-match next", causing it to stop processing and preventing sequence 100 (CHECK_IDF_ISOLATION) from being reached. Route → Seq 50 (tag contributing routes) → on-match next → Seq 60 (strip local anchor community) → STOP (no on-match next) → Seq 100 (CHECK_IDF_ISOLATION) ← NEVER REACHED! This caused: - IDF isolation to not work (no-export community not added) - test_seq_idf_isolation.py to fail on disaggregated T2 Resolution: Add "on-match next" to sequence 60 in TO_BGP_PEER_V4/V6 route-maps to allow processing to continue to sequence 100 (CHECK_IDF_ISOLATION). Route → Seq 50 (tag contributing routes) → on-match next → Seq 60 (strip local anchor community) → on-match next → Seq 100 (CHECK_IDF_ISOLATION) ← NOW REACHABLE Tested the below testcases with this fix and it is passing. - test_seq_idf_isolation.py - test_prefix_list.py - test_ipv6_nlri_over_ipv4.py - test_bgp_update_timer.py - test_route_flap.py Signed-off-by: selva <[email protected]> Signed-off-by: Feng Pan <[email protected]>
…onic-net#25864) What is the motivation for this PR: This PR combines changes from sonic-net#25594 and sonic-net#25306 to update sonic-platform-common and align the BMC reset_root_password unit test with new min password length functionality. How did you do it: Cherry-picked both PRs, updated sonic-platform-common submodule, and refreshed test_bmc.py mocks for redfish_api_get_min_password_length and redfish_api_set_min_password_length. How did you verify/test it: UT execution of test_bmc.py. Signed-off-by: Ying Xie <[email protected]> Signed-off-by: Ben Levi <[email protected]> Signed-off-by: Feng Pan <[email protected]>
What is the motivation for this PR: To fix a regression on agera2 gearbox after merge of sonic-sairedis#1758; gbsyncd crashes due to missing sai_query_stats_st_capability. How did you do it: Updated the PAI header to include the missing API definition. How did you verify/test it: Validated port bringup on a device with agera2 gearbox. Signed-off-by: Tejaswini Chadaga <[email protected]> Signed-off-by: Feng Pan <[email protected]>
…e memory footprints (sonic-net#24656) Why I did it System ready - Update from MultiProcessing to MultiThreading to reduce memory footprints Work item tracking Microsoft ADO (number only): How I did it Change Multiprocessing to Multithreading in sysmonitor code Signed-off-by: Feng Pan <[email protected]>
…net#25643) * [build] Add build timing report and dependency analysis tools Add three scripts for build performance instrumentation: - scripts/build-timing-report.sh: Parse per-package timing from build logs (HEADER/FOOTER timestamps), generate sorted duration table, phase breakdown, parallelism timeline, and CSV export. - scripts/build-dep-graph.py: Parse rules/*.mk dependency graph, compute critical path, fan-out/fan-in bottleneck analysis, and generate DOT/JSON output for visualization. - scripts/build-resource-monitor.sh: Sample CPU, memory, disk I/O, and Docker container count during builds for resource utilization analysis. Add "make build-report" target to slave.mk that runs the timing report and dependency analysis after a build completes. Example output from a VS build on 24-core/30GB machine: - 210 packages built in 53m wall time (173m CPU) - Max concurrency: 5 (with SONIC_CONFIG_BUILD_JOBS=4) - Critical path: 14 packages deep (libnl -> libswsscommon -> utilities) - Top bottleneck: LIBSWSSCOMMON with 48 downstream dependents Signed-off-by: Rustiqly <[email protected]> * Address Copilot review: fix 17 bugs in build analysis scripts - Use free -m with division instead of free -g to avoid rounding (sonic-net#1) - Add = and ?= to Makefile dependency regex patterns (sonic-net#2, sonic-net#7) - CPU calculation now uses /proc/stat delta (two reads) (sonic-net#3, sonic-net#14) - Fix misleading 'critical path estimate' comment (sonic-net#4) - Fix parallelism timeline comment (60s not 10s) (sonic-net#5) - Include after-relationship packages in fan stats (sonic-net#6) - Guard disk I/O division by zero when INTERVAL<=1 (sonic-net#8) - Remove unused elapsed_line variable (sonic-net#9) - Remove redundant LIBSWSSCOMMON_DBG check (sonic-net#10) - Remove active_make_jobs from CSV header comment (sonic-net#11) - Wire up _RDEPENDS parsing to build reverse deps (sonic-net#12) - Remove unnecessary 'if v' filter on rdeps JSON (sonic-net#13) - Remove unused REPORT_FORMAT parameter (sonic-net#15) - Add cycle detection to critical path algorithm (sonic-net#16) - Add execute permission check for companion scripts (sonic-net#17) Signed-off-by: Rustiqly <[email protected]> --------- Signed-off-by: Rustiqly <[email protected]> Co-authored-by: Rustiqly <[email protected]> Signed-off-by: Feng Pan <[email protected]>
…et#25752) SONiC patch 0014 adds zebra_vrf_config_write() as a void function but uses 'return 0;' at the end. GCC 12 (bookworm) treats -Wreturn-mismatch as a warning, but GCC 14 (trixie) promotes it to an error, breaking the FRR build under BLDENV=trixie. Fix: change 'return 0;' to 'return;' in the patch. Signed-off-by: Rustiqly <[email protected]> Co-authored-by: Rustiqly <[email protected]> Signed-off-by: Feng Pan <[email protected]>
…D automatically (sonic-net#25905) #### Why I did it src/sonic-platform-daemons ``` * 6ab20ec - (HEAD -> master, origin/master, origin/HEAD) Refactor media-settings parser (sonic-net#762) (7 hours ago) [Prince George] ``` #### How I did it #### How to verify it #### Description for the changelog Signed-off-by: Feng Pan <[email protected]>
…et#25370) Use local built libsnmp-dev related packages instead of debian in sonic-slave-bookworm. It will avoid snmp related packages breaking reproducible build. --------- Signed-off-by: Yijing Yan <[email protected]> Signed-off-by: Feng Pan <[email protected]>
Signed-off-by: Yan Markman <[email protected]> Co-authored-by: Lihua Yuan <[email protected]> Signed-off-by: Feng Pan <[email protected]>
* marvell-prestera: SMDEP ignore symlink Signed-off-by: Yan Markman <[email protected]> * [mrvl-prestera] fix BGP irq, no sonic-ext.target Fix BGP IRQ loss amd64: ethDriver.c force DMA_BIT_MASK 32bits Signed-off-by: Yan Markman <[email protected]> --------- Signed-off-by: Yan Markman <[email protected]> Signed-off-by: Feng Pan <[email protected]>
Fix for issue sonic-net#24771 syncd supervisor-proc-exit-listener FATAL under startup and high CPU loading Signed-off-by: Yan Markman <[email protected]> Signed-off-by: Feng Pan <[email protected]>
Signed-off-by: Tejaswini Chadaga <[email protected]> Signed-off-by: Feng Pan <[email protected]>
* Upgrade docker in Trixie slave container to Docker 28 This was missed in the initial Trixie upgrade, but as of right now, this has no impact on anything. This upgrades the Docker daemon in the Trixie slave container to Docker 28. Docker 29 is the latest version, but due to changes in how containers are built and possible memory usage increases, I'm keeping it at 28 for now. Signed-off-by: Saikrishna Arcot <[email protected]> * Update Docker version in final image as well Signed-off-by: Saikrishna Arcot <[email protected]> * Fix containerd.io version Signed-off-by: Saikrishna Arcot <[email protected]> * Replace with variable Signed-off-by: Saikrishna Arcot <[email protected]> --------- Signed-off-by: Saikrishna Arcot <[email protected]> Signed-off-by: Feng Pan <[email protected]>
…tomatically (sonic-net#25872) #### Why I did it src/sonic-linux-kernel ``` * dac5f90 - (HEAD -> master, origin/master, origin/HEAD) DTS file as a patch for Nexthop bmc card (sonic-net#537) (29 hours ago) [Chandrasekaran Swaminathan] * 2afef96 - Add a patch for printing the AMD Zen CPU reset reason (sonic-net#514) (29 hours ago) [lotus-nexthop] ``` #### How I did it #### How to verify it #### Description for the changelog Signed-off-by: Feng Pan <[email protected]>
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines will not run the associated pipelines, because the pull request was updated after the run command was issued. Review the pull request again and issue a new run command. |
|
One or more co-authors of this pull request were not found. You must specify co-authors in commit message trailer via: Supported
Please update your commit message(s) by doing |
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
apt is not recommended in non-interactive Docker builds (more likely to produce prompts/unstable CLI output). Prefer apt-get (and keep update/install in the same layer when possible) to make the build deterministic.
Suggested change
| RUN apt-get install -f -y \ |
Comment on lines
524
to
533
There was a problem hiding this comment.
The test [ $(ENABLE_DOCKER_BASE_PULL) == y ] will emit a shell error when ENABLE_DOCKER_BASE_PULL is empty/unset (common for optional env vars). Quote the variable and/or use [[ ... ]] to avoid noisy failures and to ensure the pull path behaves predictably.
There was a problem hiding this comment.
Multi-distro dispatch is inconsistent: bullseye/bookworm route through the distro target with EXTRA_DOCKER_TARGETS, while trixie forwards $@ directly. This increases the risk that trixie behaves differently (e.g., missing shared distro setup steps). Consider using the same dispatch pattern for trixie for consistency.
Suggested change
| $(MAKE_WITH_RETRY) EXTRA_DOCKER_TARGETS=$(notdir $@) BLDENV=trixie -f Makefile.work trixie |
There was a problem hiding this comment.
Piping a remote script directly into bash is a supply-chain risk (users can't inspect what will run, and it executes whatever the server returns at that moment). Prefer documenting a safer flow: download to a file, review it, optionally pin to a commit hash/tag, then execute.
Suggested change
| curl -sSL -o prerequisites.sh https://raw.githubusercontent.com/sonic-net/sonic-buildimage/master/scripts/prerequisites.sh | |
| # Optionally, inspect the script before running it: | |
| less prerequisites.sh | |
| bash prerequisites.sh |
There was a problem hiding this comment.
Correct spelling in the sensor label: 'Ambiant' → 'Ambient'.
Suggested change
| label temp4 "Inlet Ambient Air" |
8 tasks
Contributor
Author
|
use #25962 instead of this PR |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why I did it
Support cname based authorization in telemetry. Fixed the config DB key used by telemetry.
Work item tracking
How I did it
Turn on telemetry side gnmi_client_role in sidecar, and add watchdog probe functionality.
How to verify it
Before added, no cname check
After added.
known cname cert could visit SHOW
unknown cname cert will be blocked:
two watchdog prob as below:
Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
Description for the changelog
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)