Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add caclmgrd and related files to translate and install control plane ACL rules #1240

Merged
merged 8 commits into from
Jan 10, 2018
Merged

Add caclmgrd and related files to translate and install control plane ACL rules #1240

merged 8 commits into from
Jan 10, 2018

Conversation

jleveque
Copy link
Contributor

@jleveque jleveque commented Dec 15, 2017

- What I did

  • Modify minigraph.py to properly parse control plane ACLs
  • Add caclmgrd daemon which receives ACL table change notifications from Config DB and responds by generating and applying a new set of corresponding iptables rules.
  • Add related service and start script to manage caclmgrd
  • Prevent caclmgrd from starting on Arista platforms (will use a proprietary solution instead)
  • Prevent Docker from modifying iptables rules
  • Modify sshd_config so that SSH daemon only listens for connections on IPv4 interface, not IPv6

@jleveque jleveque self-assigned this Dec 15, 2017
@jleveque jleveque requested a review from lguohan December 15, 2017 01:16
@jleveque jleveque changed the title Add caclmgrd and related files to translate and install control plane ACL rules [DO NOT MERGE YET] Add caclmgrd and related files to translate and install control plane ACL rules Dec 20, 2017
acls[aclname] = {'policy_desc': aclname,
'ports': acl_intfs,
'type': 'MIRROR' if is_mirror else 'L3',
'service': 'N/A'}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So is this "service" attribute only feasible for CTRLPLANE type? Will orchagent read this field for L3 and MIRROR?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is only applicable to CTRLPLANE type. Orchagent currently has no concept of this field, so it is effectively ignored for L3 and MIRROR ACLs.

import syslog
from swsssdk import ConfigDBConnector
except ImportError as err:
raise ImportError("%s - required module not found" % str(err))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This ImportError try/except block is something that was present in many SONiC Python scripts when I first joined the team. It is something I have carried over into new scripts for consistency. It is not necessary, it just presents a clear error message to the user if it fails to import a module and attempts to continue on.

It might be better to simply throw the exception and exit; again, I've simply carried on using it for consistency within the project.

(stdout, stderr) = proc.communicate()

if proc.returncode != 0:
log_error("Error running command '{}'".format(cmd))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to continue with the following commands when previous command failed? Not quite sure whether to stop or to continue is a better approach, might need to look into detail scenario.

@@ -226,6 +226,8 @@ sudo cp files/sshd/host-ssh-keygen.sh $FILESYSTEM_ROOT/usr/local/bin/
sudo cp -f files/sshd/sshd.service $FILESYSTEM_ROOT/lib/systemd/system/ssh.service
## Config sshd
sudo augtool --autosave "set /files/etc/ssh/sshd_config/UseDNS no" -r $FILESYSTEM_ROOT
sudo sed -i 's/^ListenAddress ::/#ListenAddress ::/' $FILESYSTEM_ROOT/etc/ssh/sshd_config
sudo sed -i 's/^#ListenAddress 0.0.0.0/ListenAddress 0.0.0.0/' $FILESYSTEM_ROOT/etc/ssh/sshd_config
Copy link
Collaborator

@lguohan lguohan Dec 29, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we need to uncomment these?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We decided to only accept SSH connections over IPv4 interfaces, not IPv6. These two lines accomplish this.

@jleveque jleveque merged commit 0fffa6c into sonic-net:master Jan 10, 2018
@jleveque jleveque deleted the ctrl_plane_acls branch January 10, 2018 01:55
zhenggen-xu added a commit to zhenggen-xu/sonic-buildimage that referenced this pull request Oct 17, 2019
* github:
  [minigraph]: Set hostname in all default minigraphs to 'sonic' (sonic-net#1333)
  Install sonic-platform-common package in platform-monitor docker for ledd (sonic-net#1330)
  Prevent supervisor from restarting configdb-load.sh (sonic-net#1324)
  [scripts]: Fix issues with checking status of the DB. Use one approach everywhere. (sonic-net#1323)
  [Arista7260cx3] Add platform specific reboot tool (sonic-net#1318)
  Install azure cli into docker-sonic-mgmt (sonic-net#1322)
  [sonic-py-swsssdk]: Update submodule pointer (sonic-net#1319)
  [supervisor] Add patch to prevent 'supervisorctl start' command from hanging if system time has rolled backward (sonic-net#1311)
  Move platform-specific hardware plugin base packages to sonic-platform-common submodule (sonic-net#1301)
  [baseimage]: Add missing dependency of igb & ixgbe (sonic-net#1316)
  [snmpagent]: Update sonic-snmpagent submodule (sonic-net#1314)
  Run docker containers with /tmp and /var/tmp mounted to tmpfs (sonic-net#1313)
  [Broadcom]: Update Boradcom SAI package to 3.0.3.3-3 (sonic-net#1312)
  [submodule]: Update sairedis (sonic-net#1310)
  [snmpagent]: Update sonic-snmpagent submodule (sonic-net#1308)
  [baseimage]: add mkfs.ext3 and fsck.ext3 in initrd to support ext3 partition (sonic-net#1306)
  [submodule]: update sonic-sairedis to enable syncd-rpc (sonic-net#1304)
  [device]: Fix Mellanox sku check (sonic-net#1303)
  Add support for Accton AS7712-32X platform (sonic-net#1299)
  [build]: build libsaithrift-dev and docker-ptf-[platform] (sonic-net#1300)
  [libsaithrift-dev]: Enable building libsaithrift-dev and pythonthrift libraries (sonic-net#1296)
  [Platform] Update switch configuration files and download link for Ingrasys S9130-32X/S9230-64X (sonic-net#1295)
  [Delta]: Add psuutil support for ag9032v1 (sonic-net#1298)
  Revert "[Dell S6100, Z9100] psusutil sysfs attribute changes for hwmon (sonic-net#1264)" (sonic-net#1297)
  [Dell S6100, Z9100] psusutil sysfs attribute changes for hwmon (sonic-net#1264)
  [Platform]As7712-32x update for sensors test (sonic-net#1292)
  Revert "[DHCP relay]: Add patch to always undef VLAN_TCI_PRESENT so as not to treat VLAN-tagged packets differently (sonic-net#1254)" (sonic-net#1291)
  [[submodule]: Update swss-common (sonic-net#1289)
  [baseimage]: Install sysfsutils package into SONiC host system (sonic-net#1290)
  Add caclmgrd and related files to translate and install control plane ACL rules (sonic-net#1240)
  [mellanox]: Update Mellanox buffers configuration (sonic-net#1263)
  [platform]: chmod 0644 for *.mk files (sonic-net#1284)
  [arista]: Update Arista platform modules and mount libraries to snmp docker (sonic-net#1283)
  [platform]: chmod a+x for debian/rules for platform-modules-delta (sonic-net#1282)
  Let debootstrap uses the same sources link as apt (sonic-net#1279)
  [doc]: update sonic-buildimage clone instructions (sonic-net#1278)
  [image]: Explicitly specify kernel_version as string (sonic-net#1280)
  Disable autosuspend for USB devices, preventing usb drives to be stopped and then renamed (sonic-net#1275)
  [platform]: As7712 32x add fancontrol (sonic-net#1270)
  [Platform] Add psuutil support for Ingrasys S9130-32X (sonic-net#1273)
  [submodules]: Update swss and utilitiles modules (sonic-net#1276)
  [Platform] Add psuutil and update submodule for Ingrasys S9100-32X, S8810-32Q, S9200-64X on master branch (sonic-net#1271)
  [centec]: support sai1.0 (sonic-net#1268)
  [build]: add build badge for nephos platform (sonic-net#1267)
  [build]: allow to use http(s) proxy in the build (sonic-net#1265)
  [Accton AS7816-64X] Add new platform and device for AS7816-64X. (sonic-net#1260)
  [Platform] Add Ingrasys S9130-32X and S9230-64X with Nephos Switch ASIC (sonic-net#1245)
  Add 'make reset' target with warning prompt to reset git repo and submodules (sonic-net#1258)
  [sudoers] Add 'docker ps' to READ_ONLY_CMDS (sonic-net#1259)
  Add set/get lpmode and mode_rst feature for qsfp (sonic-net#1261)
  [build] allow user to override the default number of build jobs (sonic-net#1255)
  [build] make second Accton Debian package extra package of the first one (sonic-net#1257)
  [arista] Delete sysfs entries for all Arista Digital Power Monitor/Management devices (sonic-net#1256)
  [DHCP relay]: Add patch to always undef VLAN_TCI_PRESENT so as not to treat VLAN-tagged packets differently (sonic-net#1254)
  [snmp]: Save S/N in state DB prior to starting service (sonic-net#1246)
  [device/accton] Correct exception function name (sonic-net#1249)
  [DHCP relay]: Fix circuit ID and remote ID bugs (sonic-net#1248)
  [sonic-py-swsssdk]: Update submodule pointer (sonic-net#1253)
  [swss]: update swss submodule (sonic-net#1244)
  [broadcom]: update sai to 3.0.3.3-1 (sonic-net#1243)
jleveque added a commit that referenced this pull request Nov 25, 2020
…heel (#5926)

Submodule updates include the following commits:

* src/sonic-utilities 9dc58ea...f9eb739 (18):
  > Remove unnecessary calls to str.encode() now that the package is Python 3; Fix deprecation warning (#1260)
  > [generate_dump] Ignoring file/directory not found Errors (#1201)
  > Fixed porstat rate and util issues (#1140)
  > fix error: interface counters is mismatch after warm-reboot (#1099)
  > Remove unnecessary calls to str.decode() now that the package is Python 3 (#1255)
  > [acl-loader] Make list sorting compliant with Python 3 (#1257)
  > Replace hard-coded fast-reboot with variable. And some typo corrections (#1254)
  > [configlet][portconfig] Remove calls to dict.has_key() which is not available in Python 3 (#1247)
  > Remove unnecessary conversions to list() and calls to dict.keys() (#1243)
  > Clean up LGTM alerts (#1239)
  > Add 'requests' as install dependency in setup.py (#1240)
  > Convert to Python 3 (#1128)
  > Fix mock SonicV2Connector in python3: use decode_responses mode so caller code will be the same as python2 (#1238)
  > [tests] Do not trim from PATH if we did not append to it; Clean up/fix shebangs in scripts (#1233)
  > Updates to bgp config and show commands with BGP_INTERNAL_NEIGHBOR table (#1224)
  > [cli]: NAT show commands newline issue after migrated to Python3 (#1204)
  > [doc]: Update Command-Reference.md (#1231)
  > Added 'import sys' in feature.py file (#1232)

* src/sonic-py-swsssdk 9d9f0c6...1664be9 (2):
  > Fix: no need to decode() after redis client scan, so it will work for both python2 and python3 (#96)
  > FieldValueMap `contains`(`in`)  will also work when migrated to libswsscommon(C++ with SWIG wrapper) (#94)

- Also fix Python 3-related issues:
    - Use integer (floor) division in config_samples.py (sonic-config-engine)
    - Replace print statement with print function in eeprom.py plugin for x86_64-kvm_x86_64-r0 platform
    - Update all platform plugins to be compatible with both Python 2 and Python 3
    - Remove shebangs from plugins files which are not intended to be executable
    - Replace tabs with spaces in Python plugin files and fix alignment, because Python 3 is more strict
    - Remove trailing whitespace from plugins files
santhosh-kt pushed a commit to santhosh-kt/sonic-buildimage that referenced this pull request Feb 25, 2021
…heel (sonic-net#5926)

Submodule updates include the following commits:

* src/sonic-utilities 9dc58ea...f9eb739 (18):
  > Remove unnecessary calls to str.encode() now that the package is Python 3; Fix deprecation warning (sonic-net#1260)
  > [generate_dump] Ignoring file/directory not found Errors (sonic-net#1201)
  > Fixed porstat rate and util issues (sonic-net#1140)
  > fix error: interface counters is mismatch after warm-reboot (sonic-net#1099)
  > Remove unnecessary calls to str.decode() now that the package is Python 3 (sonic-net#1255)
  > [acl-loader] Make list sorting compliant with Python 3 (sonic-net#1257)
  > Replace hard-coded fast-reboot with variable. And some typo corrections (sonic-net#1254)
  > [configlet][portconfig] Remove calls to dict.has_key() which is not available in Python 3 (sonic-net#1247)
  > Remove unnecessary conversions to list() and calls to dict.keys() (sonic-net#1243)
  > Clean up LGTM alerts (sonic-net#1239)
  > Add 'requests' as install dependency in setup.py (sonic-net#1240)
  > Convert to Python 3 (sonic-net#1128)
  > Fix mock SonicV2Connector in python3: use decode_responses mode so caller code will be the same as python2 (sonic-net#1238)
  > [tests] Do not trim from PATH if we did not append to it; Clean up/fix shebangs in scripts (sonic-net#1233)
  > Updates to bgp config and show commands with BGP_INTERNAL_NEIGHBOR table (sonic-net#1224)
  > [cli]: NAT show commands newline issue after migrated to Python3 (sonic-net#1204)
  > [doc]: Update Command-Reference.md (sonic-net#1231)
  > Added 'import sys' in feature.py file (sonic-net#1232)

* src/sonic-py-swsssdk 9d9f0c6...1664be9 (2):
  > Fix: no need to decode() after redis client scan, so it will work for both python2 and python3 (sonic-net#96)
  > FieldValueMap `contains`(`in`)  will also work when migrated to libswsscommon(C++ with SWIG wrapper) (sonic-net#94)

- Also fix Python 3-related issues:
    - Use integer (floor) division in config_samples.py (sonic-config-engine)
    - Replace print statement with print function in eeprom.py plugin for x86_64-kvm_x86_64-r0 platform
    - Update all platform plugins to be compatible with both Python 2 and Python 3
    - Remove shebangs from plugins files which are not intended to be executable
    - Replace tabs with spaces in Python plugin files and fix alignment, because Python 3 is more strict
    - Remove trailing whitespace from plugins files
stepanblyschak pushed a commit to stepanblyschak/sonic-buildimage that referenced this pull request May 10, 2021
The `requests` package is used by a couple modules (config/kube.py and scripts/neighbor_advertiser), but it was not specified as an install-time dependency. Now that the package is built as Python 3, some commands are crashing with `ModuleNotFoundError: No module named 'requests'`.
theasianpianist pushed a commit to theasianpianist/sonic-buildimage that referenced this pull request Feb 5, 2022
add vlan package for the command line vconfig
yxieca pushed a commit that referenced this pull request Jun 16, 2023
…tically (#15506)

src/sonic-sairedis

* ec81223 - (HEAD -> 202205, origin/202205) [syncd] Add pre match logic for acl entry (#1240) (10 hours ago) [Kamil Cudnik]
* 2966e58 - Fix pipeline issue caused by urllib3 v2 (10 hours ago) [Liu Shilong]
mssonicbld added a commit that referenced this pull request Aug 30, 2023
…tically (#16291)

#### Why I did it
src/sonic-sairedis
```
* 2ebbd48 - (HEAD -> 202211, origin/202211) [syncd] Add pre match logic for acl entry (#1240) (11 hours ago) [Kamil Cudnik]
* 1db8726 - Use SAI_STATUS_ITEM_NOT_FOUND when key not found (#1224) (11 hours ago) [Lawrence Lee]
* 9e4071b - [CI]: Fix collect log error in azp template. (#1282) (4 days ago) [Nazarii Hnydyn]
```
#### How I did it
#### How to verify it
#### Description for the changelog
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants