ACL and Decap permanent configuration#132
ACL and Decap permanent configuration#132andriymoroz-mlnx wants to merge 4 commits intosonic-net:masterfrom
Conversation
andriymoroz-mlnx
changed the title
| echo Done | ||
| } | ||
|
|
||
| function add_config |
There was a problem hiding this comment.
add_config [](start = 9, length = 10)
This function has nothing to do with 'testbed'. Suggest remove it. Since it is quite simple, there is no need to wrap a script around the playbook. Add the ansible command line as a comment to the YML file. #Closed
There was a problem hiding this comment.
it is actually a part of the testbed configuration. I think it is better to have everything in one place, like
testbed-cli.sh start-vms ...
testbed-cli.sh add-topo ...
testbed-cli.sh add-config ...
| - name: Copy ACL config file to the DUT | ||
| copy: src="/tmp/{{ item }}.json" dest="/tmp/{{ item }}.json" | ||
| with_items: | ||
| - "{{ acltb_configs }}" |
There was a problem hiding this comment.
Why not run the 'template' task remotely? No need to copy. #Closed
There was a problem hiding this comment.
are there any examples how to do this?
the other tests (fib, lag) use the same approach
UPD: found in quagga.yml
| - "{{ acltb_configs }}" | ||
|
|
||
| - name: Copy ACL config files to the swss container | ||
| command: docker cp "/tmp/{{ item }}.json" swss:/etc/swss/config.d/"{{ item }}.json" |
There was a problem hiding this comment.
command: docker cp [](start = 2, length = 18)
If you follow the existing code 'ansible_shell_type', you don't need a 'docker cp' command. It is more ansible-friendly.
Sample: https://github.com/Azure/sonic-mgmt/blob/master/ansible/roles/sonicv2/tasks/quagga.yml#L82 #Closed
| command: docker cp "/tmp/swssconfig_args_update.sh" swss:/tmp/swssconfig_args_update.sh | ||
|
|
||
| - name: Make script executable | ||
| command: docker exec -t swss bash -c 'chmod +x /tmp/swssconfig_args_update.sh' |
There was a problem hiding this comment.
chmod [](start = 40, length = 5)
You can chmod before you add the file to git. There is no need to chmod during runtime. #Closed
There was a problem hiding this comment.
right, it is already executable. Will remove this task
| connection: local | ||
|
|
||
| - name: Copy conf file to the switch | ||
| copy: src="/tmp/decap_conf.json" dest="/tmp/decap_conf.json" |
There was a problem hiding this comment.
Run template task remotely #Closed
|
|
||
| - name: Modify start.sh to apply ACL config on start (table) | ||
| command: docker exec -t swss bash -c '/tmp/swssconfig_args_update.sh /usr/bin/start.sh /etc/swss/config.d/acltb_\*table.json' | ||
| become: yes |
There was a problem hiding this comment.
If you follow the existing code 'ansible_shell_type', you can directly use 'script' task inside remote docker. #Closed
| @@ -0,0 +1,9 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
This script is lacking comment. Could you also give some samples?
More general question: is it ever possible to test the DUT without changing the content of the docker container? #Closed
There was a problem hiding this comment.
added comment and usage example
There was a problem hiding this comment.
this change is not for the test. It adds permanent configuration for the testbed. To let it survive the reboot I have to modify start.sh
| @@ -0,0 +1,167 @@ | |||
| #!/usr/bin/python | |||
There was a problem hiding this comment.
This file is never used? #Closed
There was a problem hiding this comment.
It was used to convert ACL rules list from the xml format to the json file for the swssconfig
If we ever decide to update the list of the rules (from the different xml) we will need this tool
|
🕐 |
|
ansible/roles/configure/templates/acltb_persistent_acl_rules.j2 is a template for several reasons
|
|
Hi Andriy, Can you please give some overview what this PR does? Also. DUT consists of VMs, ptf containers, openvswitch configuration, and fanout infrastructure. What part of testbed you're going to modify here? Thanks |
|
It applies "permanent configuration" to the DUT - some settings which represent a kind of "load" on the switch. It will not help or interfere with the testbed tests it should just exist on the switch. |
|
|
||
| - name: Copy start.sh modification script to the DUT/swss | ||
| copy: src=roles/configure/files/helpers/swssconfig_args_update.sh | ||
| dest=/tmp/swssconfig_args_update.sh |
There was a problem hiding this comment.
swssconfig_args_update.sh [](start = 20, length = 25)
I noticed you copy the script (swssconfig_args_update.sh) to remote and run it. You may try 'script' module to simplify the steps.
| "ttl_mode":"pipe" | ||
| }, | ||
| "OP": "SET" | ||
| } |
There was a problem hiding this comment.
There is another decap_confg.j2 file under /roles/test/templates. Are they for different purpose? Or shall we remove that one?
| - fail: msg="information about testbed missing." | ||
| when: (lo_ip is not defined) or | ||
| (dscp_mode is not defined) | ||
|
|
There was a problem hiding this comment.
Let me ask a silly question: after the interface is configured following decap rule, is there any way to reset it back to a normal interface? If so how could we do it?
…sts (sonic-net#132) <!-- Please make sure you've read and understood our contributing guidelines; https://github.com/sonic-net/SONiC/blob/gh-pages/CONTRIBUTING.md Please provide following information to help code review process a bit easier: --> ### Description of PR <!-- - Please include a summary of the change and which issue is fixed. - Please also include relevant motivation and context. Where should reviewer start? background context? - List any dependencies that are required for this change. --> Summary: Microsoft ADO id: 30441649 After [PR 3317 in sonic-swss repo](sonic-net/sonic-swss#3317), it is possible to configure ERSPAN sessions with IPv6 source and destination addresses. This PR parametrizes existing Everflow tests with the IP version of the mirrored GRE packets (i.e., the version of the outer IP header). ### Type of change <!-- - Fill x for your type of change. - e.g. - [x] Bug fix --> - [ ] Bug fix - [ ] Testbed and Framework(new/improvement) - [ ] New Test case - [ ] Skipped for non-supported platforms - [x] Test case improvement ### Back port request - [ ] 202012 - [ ] 202205 - [ ] 202305 - [ ] 202311 - [ ] 202405 - [ ] 202411 ### Approach #### What is the motivation for this PR? Adding support for IPv6 encapsulation to Everflow packet mirroring tests. #### How did you do it? Parametrized existing Everflow tests with the IP version of the outer IP header. #### How did you verify/test it? Tested on Broadcom T0. #### Any platform specific information? N/A #### Supported testbed topology if it's a new test case? T0, T1, T2, and M0 ### Documentation <!-- (If it's a new feature, new test case) Did you update documentation/Wiki relevant to your implementation? Link to the wiki page? --> N/A
[202012][sonic-linkmgrd] submodule update commit efee4d5b807887bae14c16a8a297756739fcc17e (HEAD -> 202012, upstream/202012) Author: Jing Zhang <[email protected]> Date: Mon Oct 3 09:40:55 2022 -0700 [Active-Standby] fix syslog flood caused by `unkown -> standby` switchovers (sonic-net#137) Description of PR Summary: Fixes # (issue) This is to fix the syslog flood issue caused by repeated switchovers from unknown to standby. The scenario trigged the issue was when xcvrd timed out toggles requests but was able to probe: Linkmgrd toggles to standby -> toggles fails, xcvrd writes unknown -> linkmgrd probes mux state -> xcvrd writes standby -> linkmgrd toggles to standby (previous mux state was unknown, switching to match) -> toggles fails, xcvrd writes unknown -> ... ... sign-off: Jing Zhang [email protected] commit d4de3d31db6512b045c050533cd9e11a92522916 Author: Jing Zhang <[email protected]> Date: Tue Sep 27 10:36:59 2022 -0700 [202012][Cherry-pick] Post switchover reasons to STATE DB (sonic-net#138) Description of PR Summary: Fixes # (issue) Cherry-pick conflict: ea68e8c Jing Zhang Wed Sep 21 10:52:18 2022 -0700 Post switchover reasons to STATE DB (sonic-net#131) a5a9f90 Hua Liu Fri Sep 16 09:54:32 2022 +0800 Install libyang to azure pipeline (sonic-net#132) sign-off: Jing Zhang [email protected]
#### Why I did it Update submodule for sonic-swss: e739e6c - 2023-01-27 : custom advertised prefix for primary vxlan tunnel [202012] (sonic-net#2641) [siqbal1986] sonic-restapi: 99c467d - 2023-01-24 : Add API support for adv prefix and custom monitoring (sonic-net#133) [Prince Sunny] 347684a - 2022-11-30 : Use github code scanning instead of LGTM (sonic-net#132) [Liu Shilong]
…bmodule head (sonic-net#12264) linkmgrd: * 44f182b 2022-10-03 | [Active-Standby] fix syslog flood caused by `unkown -> standby` switchovers (sonic-net#137) (HEAD -> 202205) [Jing Zhang] * 9284ce1 2022-09-26 | [Active-Active] avoid being stuck in `unknown` after process init (sonic-net#136) [Jing Zhang] * 55711d7 2022-09-16 | Install libyang to azure pipeline (sonic-net#132) [Hua Liu] swss: * 2f7da1e 2022-09-30 | [build] add missing package libyang-dev in lgtm.yml (sonic-net#2475) (HEAD -> 202205, github/202205) [Qi Luo] platform-daemon: * 5b96170 2022-09-23 | add support to execute new ycable API's, add datetime field to mux_info (sonic-net#297) (HEAD -> 202205) [vdahiya12] platform-common: * de1bd8e 2022-09-28 | Remove shell=True (sonic-net#313) (HEAD -> 202205) [Mai Bui] * 77760bf 2022-09-23 | [credo][ycable] remove mux-toggle inprogress flags for some API's (sonic-net#311) [vdahiya12] Signed-off-by: Ying Xie <[email protected]> Signed-off-by: Ying Xie <[email protected]>
…ically (#25742) #### Why I did it src/sonic-dash-ha ``` * 8f9893d - (HEAD -> 202511, origin/master, origin/HEAD, origin/202511, master) Create bfd sessions only to NPU participating ha-set (sonic-net#143) (9 days ago) [yue-fred-gao] * a6cf697 - update dash-api submodule (10 days ago) [Jing Zhang] * 64022eb - Change convert_pb_to_json to parse proto encoded value from binary input (sonic-net#142) (10 days ago) [yue-fred-gao] * 53fb250 - [ci] fix build error and save binaries (sonic-net#144) (11 days ago) [Jing Zhang] * d01ed94 - Add .github/copilot-instructions.md for AI-assisted development (sonic-net#140) (2 weeks ago) [rustiqly] * 2b6b37c - Write DASH_DPU_RESET_INFO_TABLE when dpu midplane or control plane down (sonic-net#137) (4 weeks ago) [yue-fred-gao] * 9b3c0bf - Add bfd rewrite on pmon change. (sonic-net#136) (4 weeks ago) [dypet] * af44396 - [build] Disable debian helper auto install for cargo project. (sonic-net#135) (5 weeks ago) [Liu Shilong] * 17e2e0b - Implement bfd pinned state (sonic-net#134) (5 weeks ago) [yue-fred-gao] * c04969e - switch to using libboost1.83 (sonic-net#133) (6 weeks ago) [yijingyan2] * b38d8fb - Change to DBConnector::clone_timeout_async (sonic-net#132) (3 months ago) [yue-fred-gao] ``` #### How I did it #### How to verify it #### Description for the changelog
following PR's : Implement cbgpPeer2State in CiscoBgp4MIB (sonic-net#119) Fix index nodes in LLDP tables whose access right is not-accessible. (sonic-net#112) Fix quagga/FRR parser on IPv6 BGP sessions (sonic-net#122) [lint] Fix some syntax errors or warnings (sonic-net#127) Update README.md: Add lgtm badges (sonic-net#128) [Multi-asic]: Support multi-asic platform (sonic-net#126) Simplify test code (sonic-net#132) [Multi-asic]: Namespace support for LLDP and Sensor tables (sonic-net#131) Fix undefined variable and warning message (sonic-net#134) Fix SNMP AgentX socket connection timeout when using Namespace.get_all() (sonic-net#140) [Namespace] Fix interfaces counters in InterfacesMIB RFC 2863 (sonic-net#141) Fix LGTM reported alert of PR#141 (sonic-net#142)
…lly (sonic-net#15776) #### Why I did it src/sonic-gnmi ``` * d1467d3 - (HEAD -> 202305, origin/202305) Update makefile to support armhf (sonic-net#132) (sonic-net#133) (5 days ago) [ganglv] * 88ee65d - [202305] Checkout correct branch from sonic-mgmt-common and sonic-swss-common during pipeline build (sonic-net#128) (5 days ago) [Sachin Holla] * 87d8eb3 - TranslClient: use PathValidator to sanitize the request paths (sonic-net#112) (4 weeks ago) [Sachin Holla] ``` #### How I did it #### How to verify it #### Description for the changelog
Why I did it [Submodule][202211] Advance sonic-restapi pointer The branch 202012 has already updated to commit 47e4b53. 4f6f979 Fix the redis security issue CVE-2023-28858 and CVE-2023-28859 (sonic-net#139) 47e4b53 Fix adv_pfx len for ipv6 (sonic-net#135) 44121be Support ipv6 prefix lenght greater than 64 and check for adv_prefix (sonic-net#134) 99c467d Add API support for adv prefix and custom monitoring (sonic-net#133) 347684a Use github code scanning instead of LGTM (sonic-net#132) 86543d0 Updates to route PATCH API (sonic-net#129) a1af82c Install libyang to azure pipeline (sonic-net#128) 2007c4c Increase coverage threshold (sonic-net#126) Work item tracking Microsoft ADO (number only): 17705422 How I did it How to verify it
5 participants
to apply ACL configuration:
ansible-playbook testbed_add_configuration.yml -i inventory --limit arc-switch1025 --tags acl -vvvv
or
./testbed-cli.sh add-config arc-switch1025 acl