diff --git a/dockers/docker-ptf/Dockerfile.j2 b/dockers/docker-ptf/Dockerfile.j2 index 1ea290977c1..7ed73ef7cdc 100644 --- a/dockers/docker-ptf/Dockerfile.j2 +++ b/dockers/docker-ptf/Dockerfile.j2 @@ -95,6 +95,27 @@ RUN apt-get update \ wireshark-common \ freeradius \ quilt + +# Install Go toolchain for building grpcurl and gnoic from source +# to ensure they use a patched Go stdlib (GO-2026-4337: crypto/tls) +{% if CONFIGURED_ARCH == "armhf" %} +RUN GO_ARCH=armv6l \ +{% elif CONFIGURED_ARCH == "arm64" %} +RUN GO_ARCH=arm64 \ +{% else %} +RUN GO_ARCH=amd64 \ +{% endif %} + && GO_VERSION=1.25.8 \ + && curl -L "https://go.dev/dl/go${GO_VERSION}.linux-${GO_ARCH}.tar.gz" -o /tmp/go.tar.gz \ + && tar -C /usr/local -xzf /tmp/go.tar.gz \ + && rm /tmp/go.tar.gz + +ENV PATH="/usr/local/go/bin:$HOME/go/bin:$PATH" + +# Build grpcurl from source with patched Go (GO-2026-4337) +RUN go install github.com/fullstorydev/grpcurl/cmd/grpcurl@v1.9.3 \ + && mv "$(go env GOPATH)/bin/grpcurl" /usr/local/bin/grpcurl \ + && chmod +x /usr/local/bin/grpcurl # Security fixes: upgrade vulnerable system packages (S360 scan remediation) RUN apt-get update && apt-get install -y --only-upgrade \ telnet \ @@ -263,11 +284,11 @@ RUN pip3 install Flask \ && pip3 install jinja2 # gnxi/gnmi_cli_py ships pre-generated _pb2.py stubs; they are -# Pin to 6.31.1 to match grpcio-tools keep a known-good version. +# Pin to 6.33.5 to match grpcio-tools keep a known-good version. RUN set -e; \ . /etc/os-release; \ if [ "$VERSION_CODENAME" = "bookworm" ]; then \ - pip3 install protobuf==6.31.1; \ + pip3 install protobuf==6.33.5; \ else \ pip3 install protobuf; \ fi @@ -316,7 +337,7 @@ RUN cd gnxi \ && cd gnmi_cli_py \ {% if PTF_ENV_PY_VER == "mixed" %} && pip install -r requirements.txt \ - && pip3 install protobuf==6.31.1 --no-binary=protobuf + && pip3 install protobuf==6.33.5 --no-binary=protobuf {% else %} && wget -q -O gnmi_ext.proto https://raw.githubusercontent.com/openconfig/gnmi/master/proto/gnmi_ext/gnmi_ext.proto \ && wget -q -O gnmi.proto https://raw.githubusercontent.com/openconfig/gnmi/master/proto/gnmi/gnmi.proto \ @@ -329,11 +350,18 @@ RUN cd gnxi \ {% endif %} # Install gnoic tool +# Without specifying the version there is a failure +# to determine the latest version automatically. +# +# root@a2014cb5bc54:~/gnoic# ./install.sh +# Warning: Failed to verify the package: https://api.github.com/repos/karimra/gnoic/releases/latest, the version is not specified +# Could not determine the latest release +# Failed to install gnoic +# For support, go to https://github.com/karimra/gnoic/issues RUN git clone https://github.com/karimra/gnoic.git \ && cd gnoic \ && git checkout 27bc5a6 \ - && chmod +x install.sh \ - && ./install.sh --version 0.2.1 \ + && go build -o /usr/local/bin/gnoic . \ && cd .. \ && rm -rf gnoic @@ -348,6 +376,10 @@ RUN dpkg -i \ debs/{{ deb }}{{' '}} {%- endfor %} +# Remove Go toolchain to reduce image size +RUN rm -rf /usr/local/go "$(go env GOPATH 2>/dev/null || echo $HOME/go)" +ENV PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + {% if PTF_ENV_PY_VER == "py3" %} # Create symlink so that test scripts and ptf_runner invocation path # is same across python 2 and python 3 envs. Note that for virtual-env diff --git a/dockers/docker-ptf/gnxi-patches/0005-Enhance-gnmi_cli_py-4.patch b/dockers/docker-ptf/gnxi-patches/0005-Enhance-gnmi_cli_py-4.patch index 0028ff52958..eb8fcc4b673 100644 --- a/dockers/docker-ptf/gnxi-patches/0005-Enhance-gnmi_cli_py-4.patch +++ b/dockers/docker-ptf/gnxi-patches/0005-Enhance-gnmi_cli_py-4.patch @@ -320,7 +320,7 @@ index dab2db6..e32b3ff 100644 -grpcio-tools==1.15.0 +grpcio==1.41.1 +grpcio-tools==1.41.1 - protobuf==6.31.1 --no-binary=protobuf + protobuf==6.33.5 --no-binary=protobuf six==1.12.0 -- 2.48.1.windows.1 diff --git a/dockers/dockerfile-macros.j2 b/dockers/dockerfile-macros.j2 index a2da3643ff2..6c908aa857f 100644 --- a/dockers/dockerfile-macros.j2 +++ b/dockers/dockerfile-macros.j2 @@ -41,6 +41,6 @@ COPY \ {% macro install_offending_packages(packages) -%} {%- for pkg in packages %} RUN pip3 install {{ pkg }} - RUN pip3 install setuptools==65.5.1 + RUN pip3 install setuptools {%- endfor %} {%- endmacro %} \ No newline at end of file