From ba6041497f4b461756b8881ff8e864f5193b9f06 Mon Sep 17 00:00:00 2001
From: Dawei Huang <daweihuang@microsoft.com>
Date: Sun, 8 Mar 2026 16:46:00 +0000
Subject: [PATCH 1/5] [gnmi] Migrate docker-sonic-gnmi, docker-gnmi-sidecar,
 and docker-gnmi-watchdog to Debian Trixie

Update base image references from docker-config-engine-bookworm to
docker-config-engine-trixie for all three gnmi-related containers.
Move them from SONIC_BOOKWORM_DOCKERS to SONIC_TRIXIE_DOCKERS to
align with the ongoing container migration to Debian 13 (Trixie).

This follows the same pattern as PR #25942 (Brcm containers migrate
to trixie) and builds on the Trixie base layers added in PR #25184.

Signed-off-by: Dawei Huang <daweihuang@microsoft.com>
---
 dockers/docker-gnmi-sidecar/Dockerfile.j2  |  2 +-
 dockers/docker-gnmi-watchdog/Dockerfile.j2 |  4 ++--
 dockers/docker-sonic-gnmi/Dockerfile.j2    |  2 +-
 rules/docker-gnmi-sidecar.mk               |  6 +++---
 rules/docker-gnmi-watchdog.mk              |  6 +++---
 rules/docker-gnmi.mk                       | 10 +++++-----
 6 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/dockers/docker-gnmi-sidecar/Dockerfile.j2 b/dockers/docker-gnmi-sidecar/Dockerfile.j2
index 6c7ceffbba4..64a9ffdc123 100644
--- a/dockers/docker-gnmi-sidecar/Dockerfile.j2
+++ b/dockers/docker-gnmi-sidecar/Dockerfile.j2
@@ -1,5 +1,5 @@
 {% from "dockers/dockerfile-macros.j2" import rsync_from_builder_stage %}
-ARG BASE=docker-config-engine-bookworm-{{DOCKER_USERNAME}}:{{DOCKER_USERTAG}}
+ARG BASE=docker-config-engine-trixie-{{DOCKER_USERNAME}}:{{DOCKER_USERTAG}}
 
 FROM $BASE AS base
 
diff --git a/dockers/docker-gnmi-watchdog/Dockerfile.j2 b/dockers/docker-gnmi-watchdog/Dockerfile.j2
index 0cb339f056f..42cde56b932 100644
--- a/dockers/docker-gnmi-watchdog/Dockerfile.j2
+++ b/dockers/docker-gnmi-watchdog/Dockerfile.j2
@@ -1,4 +1,4 @@
-FROM docker-config-engine-bookworm-{{DOCKER_USERNAME}}:{{DOCKER_USERTAG}} AS builder
+FROM docker-config-engine-trixie-{{DOCKER_USERNAME}}:{{DOCKER_USERTAG}} AS builder
 
 # Update apt's cache of available packages
 RUN apt-get update && apt-get install -y \
@@ -18,7 +18,7 @@ COPY watchdog/ ./
 # Build from within /watchdog
 RUN cargo build --release
 
-FROM docker-config-engine-bookworm-{{DOCKER_USERNAME}}:{{DOCKER_USERTAG}}
+FROM docker-config-engine-trixie-{{DOCKER_USERNAME}}:{{DOCKER_USERTAG}}
 
 ARG docker_container_name
 ARG image_version
diff --git a/dockers/docker-sonic-gnmi/Dockerfile.j2 b/dockers/docker-sonic-gnmi/Dockerfile.j2
index fa9274fc246..c10e2557181 100644
--- a/dockers/docker-sonic-gnmi/Dockerfile.j2
+++ b/dockers/docker-sonic-gnmi/Dockerfile.j2
@@ -1,5 +1,5 @@
 {% from "dockers/dockerfile-macros.j2" import install_debian_packages, install_python_wheels, copy_files, rsync_from_builder_stage %}
-ARG BASE=docker-config-engine-bookworm-{{DOCKER_USERNAME}}:{{DOCKER_USERTAG}}
+ARG BASE=docker-config-engine-trixie-{{DOCKER_USERNAME}}:{{DOCKER_USERTAG}}
 
 FROM $BASE AS base
 
diff --git a/rules/docker-gnmi-sidecar.mk b/rules/docker-gnmi-sidecar.mk
index 44b962b4639..300216a75f6 100644
--- a/rules/docker-gnmi-sidecar.mk
+++ b/rules/docker-gnmi-sidecar.mk
@@ -4,7 +4,7 @@ DOCKER_GNMI_SIDECAR_STEM = docker-gnmi-sidecar
 DOCKER_GNMI_SIDECAR = $(DOCKER_GNMI_SIDECAR_STEM).gz
 DOCKER_GNMI_SIDECAR_DBG = $(DOCKER_GNMI_SIDECAR_STEM)-$(DBG_IMAGE_MARK).gz
 
-$(DOCKER_GNMI_SIDECAR)_LOAD_DOCKERS = $(DOCKER_CONFIG_ENGINE_BOOKWORM)
+$(DOCKER_GNMI_SIDECAR)_LOAD_DOCKERS = $(DOCKER_CONFIG_ENGINE_TRIXIE)
 
 $(DOCKER_GNMI_SIDECAR)_PATH = $(DOCKERS_PATH)/$(DOCKER_GNMI_SIDECAR_STEM)
 
@@ -12,11 +12,11 @@ $(DOCKER_GNMI_SIDECAR)_VERSION = 1.0.0
 $(DOCKER_GNMI_SIDECAR)_PACKAGE_NAME = gnmi-sidecar
 
 SONIC_DOCKER_IMAGES += $(DOCKER_GNMI_SIDECAR)
-SONIC_BOOKWORM_DOCKERS += $(DOCKER_GNMI_SIDECAR)
+SONIC_TRIXIE_DOCKERS += $(DOCKER_GNMI_SIDECAR)
 SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_GNMI_SIDECAR)
 
 SONIC_DOCKER_DBG_IMAGES += $(DOCKER_GNMI_SIDECAR_DBG)
-SONIC_BOOKWORM_DBG_DOCKERS += $(DOCKER_GNMI_SIDECAR_DBG)
+SONIC_TRIXIE_DBG_DOCKERS += $(DOCKER_GNMI_SIDECAR_DBG)
 SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_GNMI_SIDECAR_DBG)
 
 
diff --git a/rules/docker-gnmi-watchdog.mk b/rules/docker-gnmi-watchdog.mk
index 234fe77cbeb..6e34e3849a6 100644
--- a/rules/docker-gnmi-watchdog.mk
+++ b/rules/docker-gnmi-watchdog.mk
@@ -4,7 +4,7 @@ DOCKER_GNMI_WATCHDOG_STEM = docker-gnmi-watchdog
 DOCKER_GNMI_WATCHDOG = $(DOCKER_GNMI_WATCHDOG_STEM).gz
 DOCKER_GNMI_WATCHDOG_DBG = $(DOCKER_GNMI_WATCHDOG_STEM)-$(DBG_IMAGE_MARK).gz
 
-$(DOCKER_GNMI_WATCHDOG)_LOAD_DOCKERS = $(DOCKER_CONFIG_ENGINE_BOOKWORM)
+$(DOCKER_GNMI_WATCHDOG)_LOAD_DOCKERS = $(DOCKER_CONFIG_ENGINE_TRIXIE)
 
 $(DOCKER_GNMI_WATCHDOG)_PATH = $(DOCKERS_PATH)/$(DOCKER_GNMI_WATCHDOG_STEM)
 
@@ -12,13 +12,13 @@ $(DOCKER_GNMI_WATCHDOG)_VERSION = 1.0.0
 $(DOCKER_GNMI_WATCHDOG)_PACKAGE_NAME = gnmi_watchdog
 
 SONIC_DOCKER_IMAGES += $(DOCKER_GNMI_WATCHDOG)
-SONIC_BOOKWORM_DOCKERS += $(DOCKER_GNMI_WATCHDOG)
+SONIC_TRIXIE_DOCKERS += $(DOCKER_GNMI_WATCHDOG)
 ifeq ($(INCLUDE_SYSTEM_GNMI), y)
 SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_GNMI_WATCHDOG)
 endif
 
 SONIC_DOCKER_DBG_IMAGES += $(DOCKER_GNMI_WATCHDOG_DBG)
-SONIC_BOOKWORM_DBG_DOCKERS += $(DOCKER_GNMI_WATCHDOG_DBG)
+SONIC_TRIXIE_DBG_DOCKERS += $(DOCKER_GNMI_WATCHDOG_DBG)
 ifeq ($(INCLUDE_SYSTEM_GNMI), y)
 SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_GNMI_WATCHDOG_DBG)
 endif
diff --git a/rules/docker-gnmi.mk b/rules/docker-gnmi.mk
index c3e7165c839..2b224333b18 100644
--- a/rules/docker-gnmi.mk
+++ b/rules/docker-gnmi.mk
@@ -8,14 +8,14 @@ $(DOCKER_GNMI)_PATH = $(DOCKERS_PATH)/$(DOCKER_GNMI_STEM)
 
 $(DOCKER_GNMI)_DEPENDS += $(SONIC_MGMT_COMMON)
 $(DOCKER_GNMI)_DEPENDS += $(SONIC_TELEMETRY)
-$(DOCKER_GNMI)_DBG_DEPENDS = $($(DOCKER_CONFIG_ENGINE_BOOKWORM)_DBG_DEPENDS)
+$(DOCKER_GNMI)_DBG_DEPENDS = $($(DOCKER_CONFIG_ENGINE_TRIXIE)_DBG_DEPENDS)
 
-$(DOCKER_GNMI)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_BOOKWORM)
+$(DOCKER_GNMI)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_TRIXIE)
 
 $(DOCKER_GNMI)_VERSION = 1.0.0
 $(DOCKER_GNMI)_PACKAGE_NAME = gnmi
 
-$(DOCKER_GNMI)_DBG_IMAGE_PACKAGES = $($(DOCKER_CONFIG_ENGINE_BOOKWORM)_DBG_IMAGE_PACKAGES)
+$(DOCKER_GNMI)_DBG_IMAGE_PACKAGES = $($(DOCKER_CONFIG_ENGINE_TRIXIE)_DBG_IMAGE_PACKAGES)
 
 # Ensure docker-telemetry-watchdog (which uses a docker-sonic-gnmi-based image)
 # is built before the docker-sonic-gnmi debug image, because the debug image build removes
@@ -23,13 +23,13 @@ $(DOCKER_GNMI)_DBG_IMAGE_PACKAGES = $($(DOCKER_CONFIG_ENGINE_BOOKWORM)_DBG_IMAGE
 $(DOCKER_GNMI_DBG)_AFTER += $(DOCKER_TELEMETRY_WATCHDOG)
 
 SONIC_DOCKER_IMAGES += $(DOCKER_GNMI)
-SONIC_BOOKWORM_DOCKERS += $(DOCKER_GNMI)
+SONIC_TRIXIE_DOCKERS += $(DOCKER_GNMI)
 ifeq ($(INCLUDE_SYSTEM_GNMI), y)
 SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_GNMI)
 endif
 
 SONIC_DOCKER_DBG_IMAGES += $(DOCKER_GNMI_DBG)
-SONIC_BOOKWORM_DBG_DOCKERS += $(DOCKER_GNMI_DBG)
+SONIC_TRIXIE_DBG_DOCKERS += $(DOCKER_GNMI_DBG)
 ifeq ($(INCLUDE_SYSTEM_GNMI), y)
 SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_GNMI_DBG)
 endif

From b5bb680842bc2ead3bc5ad2870d6ad8fcacdc0a3 Mon Sep 17 00:00:00 2001
From: Dawei Huang <daweihuang@microsoft.com>
Date: Mon, 9 Mar 2026 16:56:14 +0000
Subject: [PATCH 2/5] [gnmi] Migrate docker-telemetry-watchdog to Debian Trixie

docker-telemetry-watchdog is FROM docker-sonic-gnmi, so it must follow
docker-sonic-gnmi to Trixie. Without this, building the bookworm target
fails because docker-sonic-gnmi is now a Trixie docker and its -load
target is not generated for the bookworm build.

Verified: docker-telemetry-watchdog.gz builds successfully under
BLDENV=trixie with the Trixie slave container.

Signed-off-by: Dawei Huang <daweihuang@microsoft.com>
---
 rules/docker-telemetry-watchdog.mk | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/docker-telemetry-watchdog.mk b/rules/docker-telemetry-watchdog.mk
index 4f22e2ca63f..5badfc4499d 100644
--- a/rules/docker-telemetry-watchdog.mk
+++ b/rules/docker-telemetry-watchdog.mk
@@ -12,11 +12,11 @@ $(DOCKER_TELEMETRY_WATCHDOG)_VERSION = 1.0.0
 $(DOCKER_TELEMETRY_WATCHDOG)_PACKAGE_NAME = telemetry_watchdog
 
 SONIC_DOCKER_IMAGES += $(DOCKER_TELEMETRY_WATCHDOG)
-SONIC_BOOKWORM_DOCKERS += $(DOCKER_TELEMETRY_WATCHDOG)
+SONIC_TRIXIE_DOCKERS += $(DOCKER_TELEMETRY_WATCHDOG)
 SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_TELEMETRY_WATCHDOG)
 
 SONIC_DOCKER_DBG_IMAGES += $(DOCKER_TELEMETRY_WATCHDOG_DBG)
-SONIC_BOOKWORM_DBG_DOCKERS += $(DOCKER_TELEMETRY_WATCHDOG_DBG)
+SONIC_TRIXIE_DBG_DOCKERS += $(DOCKER_TELEMETRY_WATCHDOG_DBG)
 SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_TELEMETRY_WATCHDOG_DBG)
 
 $(DOCKER_TELEMETRY_WATCHDOG)_CONTAINER_NAME = telemetry_watchdog

From 46eafe21122b5acccf15f1060cfc3d4368b5b0c9 Mon Sep 17 00:00:00 2001
From: Dawei Huang <daweihuang@microsoft.com>
Date: Mon, 9 Mar 2026 16:59:15 +0000
Subject: [PATCH 3/5] [gnmi] Migrate docker-sonic-telemetry to Debian Trixie

docker-sonic-telemetry is FROM docker-sonic-gnmi (twins), so it must
follow docker-sonic-gnmi to Trixie.

Also carries forward the docker-telemetry-watchdog Trixie migration
from the previous commit for the same reason.

Verified: docker-sonic-telemetry.gz builds successfully under
BLDENV=trixie with the Trixie slave container.

Signed-off-by: Dawei Huang <daweihuang@microsoft.com>
---
 rules/docker-telemetry.mk | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/docker-telemetry.mk b/rules/docker-telemetry.mk
index 5869f7885b9..b83ad981219 100644
--- a/rules/docker-telemetry.mk
+++ b/rules/docker-telemetry.mk
@@ -16,13 +16,13 @@ $(DOCKER_TELEMETRY)_PACKAGE_NAME = telemetry
 $(DOCKER_TELEMETRY)_DBG_IMAGE_PACKAGES = $($(DOCKER_GNMI)_DBG_IMAGE_PACKAGES)
 
 SONIC_DOCKER_IMAGES += $(DOCKER_TELEMETRY)
-SONIC_BOOKWORM_DOCKERS += $(DOCKER_TELEMETRY)
+SONIC_TRIXIE_DOCKERS += $(DOCKER_TELEMETRY)
 ifeq ($(INCLUDE_SYSTEM_TELEMETRY), y)
 SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_TELEMETRY)
 endif
 
 SONIC_DOCKER_DBG_IMAGES += $(DOCKER_TELEMETRY_DBG)
-SONIC_BOOKWORM_DBG_DOCKERS += $(DOCKER_TELEMETRY_DBG)
+SONIC_TRIXIE_DBG_DOCKERS += $(DOCKER_TELEMETRY_DBG)
 ifeq ($(INCLUDE_SYSTEM_TELEMETRY), y)
 SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_TELEMETRY_DBG)
 endif

From 3ab684dfc95cba573f759669f87437c13cb4cc3a Mon Sep 17 00:00:00 2001
From: Dawei Huang <daweihuang@microsoft.com>
Date: Wed, 18 Mar 2026 16:11:33 +0000
Subject: [PATCH 4/5] Update sonic-gnmi submodule to include buildvcs fix
 (#622)

Signed-off-by: Dawei Huang <daweihuang@microsoft.com>
---
 src/sonic-gnmi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/sonic-gnmi b/src/sonic-gnmi
index 5b8142273c8..2a5d4c8de32 160000
--- a/src/sonic-gnmi
+++ b/src/sonic-gnmi
@@ -1 +1 @@
-Subproject commit 5b8142273c83b950cb328ea1b518fc5890ee516d
+Subproject commit 2a5d4c8de32058cdd93aa3db54bcde9ff1f75f39

From 6a7c7e5e39fd8ea22bd32d566ad924a66fcc1cf4 Mon Sep 17 00:00:00 2001
From: Dawei Huang <daweihuang@microsoft.com>
Date: Fri, 27 Mar 2026 06:00:50 +0000
Subject: [PATCH 5/5] Update trixie FIPS version to include Golang FIPS fix

Cherry-pick the FIPS version bump from PR #26431 to pick up
the rebuilt trixie FIPS Go packages with sonic_fips detection
and symcryptprovider patches correctly applied.

Signed-off-by: Dawei Huang <daweihuang@microsoft.com>
---
 rules/sonic-fips.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/sonic-fips.mk b/rules/sonic-fips.mk
index fc7147ef73b..fc5d858bb0e 100644
--- a/rules/sonic-fips.mk
+++ b/rules/sonic-fips.mk
@@ -2,7 +2,7 @@
 
 
 ifeq ($(BLDENV), trixie)
-FIPS_VERSION = 1.8.0-24-gd744cf2
+FIPS_VERSION = 1.8.0-24-gd744cf2-2
 FIPS_OPENSSL_VERSION = 3.5.4-1+fips
 FIPS_OPENSSH_VERSION = 10.0p1-7+fips
 FIPS_PYTHON_MAIN_VERSION = 3.13