[gnmi] Migrate gnmi, telemetry, and watchdog containers to Debian Trixie#26499
[gnmi] Migrate gnmi, telemetry, and watchdog containers to Debian Trixie#26499hdwhdw wants to merge 8 commits intosonic-net:masterfrom
Conversation
…i-watchdog to Debian Trixie Update base image references from docker-config-engine-bookworm to docker-config-engine-trixie for all three gnmi-related containers. Move them from SONIC_BOOKWORM_DOCKERS to SONIC_TRIXIE_DOCKERS to align with the ongoing container migration to Debian 13 (Trixie). This follows the same pattern as PR sonic-net#25942 (Brcm containers migrate to trixie) and builds on the Trixie base layers added in PR sonic-net#25184. Signed-off-by: Dawei Huang <daweihuang@microsoft.com>
docker-telemetry-watchdog is FROM docker-sonic-gnmi, so it must follow docker-sonic-gnmi to Trixie. Without this, building the bookworm target fails because docker-sonic-gnmi is now a Trixie docker and its -load target is not generated for the bookworm build. Verified: docker-telemetry-watchdog.gz builds successfully under BLDENV=trixie with the Trixie slave container. Signed-off-by: Dawei Huang <daweihuang@microsoft.com>
docker-sonic-telemetry is FROM docker-sonic-gnmi (twins), so it must follow docker-sonic-gnmi to Trixie. Also carries forward the docker-telemetry-watchdog Trixie migration from the previous commit for the same reason. Verified: docker-sonic-telemetry.gz builds successfully under BLDENV=trixie with the Trixie slave container. Signed-off-by: Dawei Huang <daweihuang@microsoft.com>
Cherry-pick the FIPS version bump from PR sonic-net#26431 to pick up the rebuilt trixie FIPS Go packages with sonic_fips detection and symcryptprovider patches correctly applied. Signed-off-by: Dawei Huang <daweihuang@microsoft.com>
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
hdwhdw
changed the title
There was a problem hiding this comment.
Pull request overview
This PR migrates gNMI/telemetry Docker build rules and Dockerfile base images from Debian bookworm to Debian trixie within the SONiC buildimage ruleset, and updates the trixie FIPS package version pin.
Changes:
- Switch gNMI/telemetry Docker images (and watchdog/sidecar variants) to use trixie config-engine base images and trixie docker lists.
- Update distro-specific docker list registration from
SONIC_BOOKWORM_*toSONIC_TRIXIE_*for the affected images. - Bump
FIPS_VERSIONforBLDENV=trixie.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| rules/sonic-fips.mk | Updates trixie FIPS version pin. |
| rules/docker-telemetry.mk | Registers telemetry docker images under trixie docker lists. |
| rules/docker-telemetry-watchdog.mk | Registers telemetry-watchdog docker images under trixie docker lists. |
| rules/docker-gnmi.mk | Switches gNMI debug deps/load-dockers to trixie config-engine and registers under trixie lists. |
| rules/docker-gnmi-watchdog.mk | Switches gNMI-watchdog load docker to trixie config-engine and registers under trixie lists. |
| rules/docker-gnmi-sidecar.mk | Switches gNMI-sidecar load docker to trixie config-engine and registers under trixie lists. |
| dockers/docker-sonic-gnmi/Dockerfile.j2 | Changes gNMI image base from config-engine-bookworm to config-engine-trixie. |
| dockers/docker-gnmi-watchdog/Dockerfile.j2 | Changes builder/runtime base images from config-engine-bookworm to config-engine-trixie. |
| dockers/docker-gnmi-sidecar/Dockerfile.j2 | Changes gNMI-sidecar image base from config-engine-bookworm to config-engine-trixie. |
| SONIC_DOCKER_IMAGES += $(DOCKER_TELEMETRY_WATCHDOG) | ||
| SONIC_BOOKWORM_DOCKERS += $(DOCKER_TELEMETRY_WATCHDOG) | ||
| SONIC_TRIXIE_DOCKERS += $(DOCKER_TELEMETRY_WATCHDOG) | ||
| SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_TELEMETRY_WATCHDOG) | ||
|
|
||
| SONIC_DOCKER_DBG_IMAGES += $(DOCKER_TELEMETRY_WATCHDOG_DBG) | ||
| SONIC_BOOKWORM_DBG_DOCKERS += $(DOCKER_TELEMETRY_WATCHDOG_DBG) | ||
| SONIC_TRIXIE_DBG_DOCKERS += $(DOCKER_TELEMETRY_WATCHDOG_DBG) | ||
| SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_TELEMETRY_WATCHDOG_DBG) |
There was a problem hiding this comment.
docker-telemetry-watchdog is now only added to SONIC_TRIXIE_DOCKERS, but it is still unconditionally added to SONIC_INSTALL_DOCKER_IMAGES / SONIC_INSTALL_DOCKER_DBG_IMAGES. In a bookworm build, this will make installers request docker-telemetry-watchdog.gz while the docker target is not generated (since DOCKER_IMAGES := $(SONIC_BOOKWORM_DOCKERS)), leading to a missing-target build failure. Gate the install lists by BLDENV==trixie (or keep the image in the bookworm docker list as well) so bookworm builds remain consistent.
| SONIC_DOCKER_IMAGES += $(DOCKER_GNMI_SIDECAR) | ||
| SONIC_BOOKWORM_DOCKERS += $(DOCKER_GNMI_SIDECAR) | ||
| SONIC_TRIXIE_DOCKERS += $(DOCKER_GNMI_SIDECAR) | ||
| SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_GNMI_SIDECAR) | ||
|
|
||
| SONIC_DOCKER_DBG_IMAGES += $(DOCKER_GNMI_SIDECAR_DBG) | ||
| SONIC_BOOKWORM_DBG_DOCKERS += $(DOCKER_GNMI_SIDECAR_DBG) | ||
| SONIC_TRIXIE_DBG_DOCKERS += $(DOCKER_GNMI_SIDECAR_DBG) | ||
| SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_GNMI_SIDECAR_DBG) |
There was a problem hiding this comment.
docker-gnmi-sidecar is now only added to SONIC_TRIXIE_DOCKERS, but it is still unconditionally included in SONIC_INSTALL_DOCKER_IMAGES / SONIC_INSTALL_DOCKER_DBG_IMAGES. For bookworm builds, this will cause installers to depend on an image that isn't part of DOCKER_IMAGES (derived from SONIC_BOOKWORM_DOCKERS), resulting in a missing-target build failure. Gate installation on BLDENV==trixie (or provide a bookworm variant) to keep installer docker lists aligned with buildable docker images.
| SONIC_DOCKER_IMAGES += $(DOCKER_GNMI_WATCHDOG) | ||
| SONIC_BOOKWORM_DOCKERS += $(DOCKER_GNMI_WATCHDOG) | ||
| SONIC_TRIXIE_DOCKERS += $(DOCKER_GNMI_WATCHDOG) | ||
| ifeq ($(INCLUDE_SYSTEM_GNMI), y) | ||
| SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_GNMI_WATCHDOG) | ||
| endif |
There was a problem hiding this comment.
docker-gnmi-watchdog is now only added to SONIC_TRIXIE_DOCKERS/SONIC_TRIXIE_DBG_DOCKERS. If INCLUDE_SYSTEM_GNMI=y is enabled in a bookworm build, the installer lists will include this image but the bookworm docker target list (DOCKER_IMAGES := $(SONIC_BOOKWORM_DOCKERS)) will not, causing a missing-target build failure. Consider additionally gating the SONIC_INSTALL_DOCKER_IMAGES additions on BLDENV==trixie (or keeping the image in the bookworm lists) so enabling GNMI doesn’t break bookworm builds.
| SONIC_DOCKER_IMAGES += $(DOCKER_GNMI) | ||
| SONIC_BOOKWORM_DOCKERS += $(DOCKER_GNMI) | ||
| SONIC_TRIXIE_DOCKERS += $(DOCKER_GNMI) | ||
| ifeq ($(INCLUDE_SYSTEM_GNMI), y) | ||
| SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_GNMI) | ||
| endif |
There was a problem hiding this comment.
docker-sonic-gnmi is now marked as a trixie-only docker (SONIC_TRIXIE_DOCKERS) and its debug deps/load-dockers reference DOCKER_CONFIG_ENGINE_TRIXIE. If INCLUDE_SYSTEM_GNMI=y is enabled for a bookworm build, the installer docker lists will include this image but it will not be part of the bookworm docker build target set (DOCKER_IMAGES := $(SONIC_BOOKWORM_DOCKERS)), leading to a missing-target build failure. Gate GNMI installation on BLDENV==trixie (or provide a bookworm build path) to avoid breaking existing bookworm builds when GNMI is enabled.
|
/azpw ms_conflict |
Points sonic-gnmi submodule to hdwhdw/sonic-gnmi branch fix-fips-session-ticket-panic which disables TLS session tickets. The SymCrypt FIPS provider does not implement AES-128-CTR cipher mode. When sonic_fips=1 is set in the kernel cmdline, Go's FIPS runtime enables FIPS-only cipher fetching, causing EVP_CIPHER_fetch to return NULL for AES-128-CTR. TLS 1.3 session ticket encryption uses this cipher mode, resulting in a panic that crashes the gNMI server during certificate rotation. Signed-off-by: Dawei Huang <daweihuang@microsoft.com>
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azpw ms_conflict |
sonic-net/sonic-gnmi#635 has been merged. Point the submodule back to sonic-net/sonic-gnmi master instead of the fork branch. Signed-off-by: Dawei Huang <daweihuang@microsoft.com>
The Go FIPS package version for trixie was missing the +fips suffix (1.24.4-1 instead of 1.24.4-1+fips), causing the armhf pipeline build to fail when fetching the package. All other FIPS packages already use the +fips suffix consistently. Signed-off-by: Dawei Huang <daweihuang@microsoft.com>
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azpw ms_conflict |
…tion Signed-off-by: Dawei Huang <daweihuang@microsoft.com>
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
Please add the commits that are being brought in in the submodule update in the description above. |
|
Done, updated the description with the sonic-gnmi submodule commits (a86eb43 → 181841b). |
Part of #25959
Summary
Migrate the gnmi, telemetry, and watchdog containers from Debian Bookworm to Debian Trixie.
Update base image references from
docker-config-engine-bookwormtodocker-config-engine-trixiefor all gnmi-related containers. Move them fromSONIC_BOOKWORM_DOCKERStoSONIC_TRIXIE_DOCKERSto align with the ongoing container migration to Debian 13 (Trixie).docker-telemetry-watchdoganddocker-sonic-telemetryare bothFROM docker-sonic-gnmi, so they must follow it to Trixie.This follows the same pattern as PR #25942 (Brcm containers migrate to trixie) and builds on the Trixie base layers added in PR #25184.
Containers migrated
docker-sonic-gnmidocker-gnmi-sidecardocker-gnmi-watchdogdocker-telemetry-watchdogdocker-sonic-telemetrysonic-gnmi submodule update (a86eb43 → 181841b)
FIPS fixes
1.8.0-24-gd744cf2to1.8.0-24-gd744cf2-2to include the Golang FIPS fix with sonic_fips detection and symcryptprovider patches.1.24.4-1to1.24.4-1+fips(missing+fipssuffix caused armhf build failure).Testing
gnmi/test_gnmi_stress.py: 1 passedtelemetry/test_telemetry_cert_rotation.py: 4 passedSigned-off-by: Dawei Huang