201911

device/mellanox/x86_64-mlnx_msn4700-r0/ACS-MSN4700/sai_4700.xml

@@ -5,6 +5,9 @@
         <!-- Device MAC address  -->
         <device-mac-address>00:02:03:04:05:00</device-mac-address>
 
+        <!-- ISSU enabled -->
+        <issu-enabled>1</issu-enabled>
+
         <!-- Number of ports in the following port list -->
         <number-of-physical-ports>32</number-of-physical-ports>
 

dockers/docker-base-stretch/Dockerfile.j2

@@ -55,7 +55,9 @@ RUN apt-get update &&        \
         libjemalloc1         \
         liblua5.1-0          \
         lua-bitop            \
-        lua-cjson
+        lua-cjson            \
+# for processing json files in bash environment
+        jq
 
 {% if CONFIGURED_ARCH == "armhf" %}
 # ip and ifconfig utility missing in docker for armhf

dockers/docker-fpm-frr/frr/bgpd/bgpd.main.conf.j2

@@ -15,7 +15,7 @@ ipv6 prefix-list PL_LoopbackV6 permit {{ get_ipv6_loopback_address(LOOPBACK_INTE
 {% endif %}
 !
 !
-{% if DEVICE_METADATA['localhost']['sub_role'] == 'FrontEnd' %}
+{% if DEVICE_METADATA['localhost']['sub_role'] == 'FrontEnd' or DEVICE_METADATA['localhost']['sub_role'] == 'BackEnd' %}
 route-map HIDE_INTERNAL permit 10
   set community local-AS
 !
@@ -38,16 +38,30 @@ router bgp {{ DEVICE_METADATA['localhost']['bgp_asn'] }}
 {% endif %}
 !
 {# set router-id #}
+{% if multi_asic() %}
+  bgp router-id {{ get_ipv4_loopback_address(LOOPBACK_INTERFACE, "Loopback4096") | ip }}
+{% else %}
   bgp router-id {{ get_ipv4_loopback_address(LOOPBACK_INTERFACE, "Loopback0") | ip }}
+{% endif %}
 !
 {# advertise loopback #}
   network {{ get_ipv4_loopback_address(LOOPBACK_INTERFACE, "Loopback0") | ip }}/32
+{% if multi_asic()  %}
+  network {{ get_ipv4_loopback_address(LOOPBACK_INTERFACE, "Loopback4096") | ip }}/32 route-map HIDE_INTERNAL
+{% endif %}
 !
 {% if get_ipv6_loopback_address(LOOPBACK_INTERFACE, "Loopback0") != 'None' %}
   address-family ipv6
     network {{ get_ipv6_loopback_address(LOOPBACK_INTERFACE, "Loopback0") | ip }}/64
   exit-address-family
 {% endif %}
+{% if multi_asic() %}
+{% if get_ipv6_loopback_address(LOOPBACK_INTERFACE, "Loopback4096") != 'None' %}
+  address-family ipv6
+    network {{ get_ipv6_loopback_address(LOOPBACK_INTERFACE, "Loopback4096") | ip }}/64 route-map HIDE_INTERNAL
+  exit-address-family
+{% endif %}
+{% endif %}
 {% endblock bgp_init %}
 !
 {% block vlan_advertisement %}

dockers/docker-sonic-mgmt/Dockerfile.j2

@@ -49,7 +49,6 @@ RUN pip install cffi==1.10.0 \
                 prettytable \
                 psutil \
                 pyasn1==0.1.9 \
-                pycryptodome \
                 pyfiglet \
                 pylint==1.8.1 \
                 pyro4 \
@@ -169,3 +168,7 @@ RUN ~/lib/azure-cli/bin/python -m pip install azure-keyvault==0.3.7 -U
 # Install Virtual Environment
 RUN python -m virtualenv --system-site-packages env-201811
 RUN env-201811/bin/pip install ansible==2.0.0.2
+
+# NOTE: There is an ordering dependency for pycryptodome. Leaving this at
+#       the end until we figure that out.
+RUN pip install pycryptodome==3.9.8

dockers/docker-sonic-telemetry/Dockerfile.j2

@@ -26,7 +26,7 @@ RUN apt-get clean -y      && \
     apt-get autoremove -y && \
     rm -rf /debs
 
-COPY ["start.sh", "telemetry.sh", "dialout.sh", "/usr/bin/"]
+COPY ["start.sh", "telemetry.sh", "dialout.sh", "telemetry_vars.j2", "/usr/bin/"]
 COPY ["supervisord.conf", "/etc/supervisor/conf.d/"]
 COPY ["files/supervisor-proc-exit-listener", "/usr/bin"]
 COPY ["critical_processes", "/etc/supervisor"]

dockers/docker-sonic-telemetry/telemetry.sh

@@ -2,36 +2,38 @@
 
 # Try to read telemetry and certs config from ConfigDB.
 # Use default value if no valid config exists
-X509=`sonic-cfggen -d -v "DEVICE_METADATA['x509']"`
-gnmi=`sonic-cfggen -d -v "TELEMETRY['gnmi']"`
-certs=`sonic-cfggen -d -v "TELEMETRY['certs']"`
+TELEMETRY_VARS=$(sonic-cfggen -d -t telemetry_vars.j2)
+TELEMETRY_VARS=${TELEMETRY_VARS//[\']/\"}
+X509=$(echo $TELEMETRY_VARS | jq -r '.x509')
+GNMI=$(echo $TELEMETRY_VARS | jq -r '.gnmi')
+CERTS=$(echo $TELEMETRY_VARS | jq -r '.certs')
 
 TELEMETRY_ARGS=" -logtostderr"
 export CVL_SCHEMA_PATH=/usr/sbin/schema
 
-if [ -n "$certs" ]; then
-    SERVER_CRT=`sonic-cfggen -d -v "TELEMETRY['certs']['server_crt']"`
-    SERVER_KEY=`sonic-cfggen -d -v "TELEMETRY['certs']['server_key']"`
+if [ -n "$CERTS" ]; then
+    SERVER_CRT=$(echo $CERTS | jq -r '.server_crt')
+    SERVER_KEY=$(echo $CERTS | jq -r '.server_key')
     if [ -z $SERVER_CRT  ] || [ -z $SERVER_KEY  ]; then
         TELEMETRY_ARGS+=" --insecure"
     else
         TELEMETRY_ARGS+=" --server_crt $SERVER_CRT --server_key $SERVER_KEY "
     fi
 
-    CA_CRT=`sonic-cfggen -d -v "TELEMETRY['certs']['ca_crt']"`
+    CA_CRT=$(echo $CERTS | jq -r '.ca_crt')
     if [ ! -z $CA_CRT ]; then
         TELEMETRY_ARGS+=" --ca_crt $CA_CRT"
     fi
 elif [ -n "$X509" ]; then
-    SERVER_CRT=`sonic-cfggen -d -v "DEVICE_METADATA['x509']['server_crt']"`
-    SERVER_KEY=`sonic-cfggen -d -v "DEVICE_METADATA['x509']['server_key']"`
+    SERVER_CRT=$(echo $X509 | jq -r '.server_crt')
+    SERVER_KEY=$(echo $X509 | jq -r '.server_key')
     if [ -z $SERVER_CRT  ] || [ -z $SERVER_KEY  ]; then
         TELEMETRY_ARGS+=" --insecure"
     else
         TELEMETRY_ARGS+=" --server_crt $SERVER_CRT --server_key $SERVER_KEY "
     fi
 
-    CA_CRT=`sonic-cfggen -d -v "DEVICE_METADATA['x509']['ca_crt']"`
+    CA_CRT=$(echo $X509 | jq -r '.ca_crt')
     if [ ! -z $CA_CRT ]; then
         TELEMETRY_ARGS+=" --ca_crt $CA_CRT"
     fi
@@ -40,19 +42,20 @@ else
 fi
 
 # If no configuration entry exists for TELEMETRY, create one default port
-if [ -z "$gnmi" ]; then
-    sonic-db-cli CONFIG_DB hset "TELEMETRY|gnmi" port 8080
+if [ -z "$GNMI" ]; then
+    PORT=8080
+    sonic-db-cli CONFIG_DB hset "TELEMETRY|gnmi" port $PORT
+else
+    PORT=$(echo $GNMI | jq -r '.port')
 fi
-
-PORT=`sonic-cfggen -d -v "TELEMETRY['gnmi']['port']"`
 TELEMETRY_ARGS+=" --port $PORT"
 
-CLIENT_AUTH=`sonic-cfggen -d -v "TELEMETRY['gnmi']['client_auth']"`
+CLIENT_AUTH=$(echo $GNMI | jq -r '.client_auth')
 if [ -z $CLIENT_AUTH ] || [ $CLIENT_AUTH == "false" ]; then
     TELEMETRY_ARGS+=" --allow_no_client_auth"
 fi
 
-LOG_LEVEL=`sonic-cfggen -d -v "TELEMETRY['gnmi']['log_level']"`
+LOG_LEVEL=$(echo $GNMI | jq -r '.log_level')
 if [ ! -z $LOG_LEVEL ]; then
     TELEMETRY_ARGS+=" -v=$LOG_LEVEL"
 else

dockers/docker-sonic-telemetry/telemetry_vars.j2

@@ -0,0 +1,5 @@
+{
+    "certs": "{% if "certs" in TELEMETRY.keys() %}{{ TELEMETRY["certs"] }}{% endif %}",
+    "gnmi" : "{% if "gnmi" in TELEMETRY.keys() %}{{ TELEMETRY["gnmi"] }}{% endif %}",
+    "x509" : "{% if "x509" in DEVICE_METADATA.keys() %}{{ DEVICE_METADATA["x509"] }}{% endif %}"
+}

files/build_templates/docker_image_ctl.j2

@@ -299,6 +299,11 @@ start() {
         --tmpfs /tmp \
 {%- endif %}
 {%- endif %}
+{%- if sonic_asic_platform == "broadcom" %}
+{%- if docker_container_name == "syncd" %}
+        -v /var/run/docker-syncd$DEV:/var/run/sswsyncd \
+{%- endif %}
+{%- endif %}
 {%- if docker_container_name == "bgp" %}
         -v /etc/sonic/frr/$DEV:/etc/frr:rw \
 {%- endif %}

files/image_config/caclmgrd/caclmgrd

@@ -134,89 +134,37 @@ class ControlPlaneAclManager(object):
         return tcp_flags_str
 
     def generate_block_ip2me_traffic_iptables_commands(self):
-        LOOPBACK_INTERFACE_TABLE_NAME = "LOOPBACK_INTERFACE"
-        MGMT_INTERFACE_TABLE_NAME = "MGMT_INTERFACE"
-        VLAN_INTERFACE_TABLE_NAME = "VLAN_INTERFACE"
-        PORTCHANNEL_INTERFACE_TABLE_NAME = "PORTCHANNEL_INTERFACE"
-        INTERFACE_TABLE_NAME = "INTERFACE"
+        INTERFACE_TABLE_NAME_LIST = [
+            "LOOPBACK_INTERFACE",
+            "MGMT_INTERFACE",
+            "VLAN_INTERFACE",
+            "PORTCHANNEL_INTERFACE",
+            "INTERFACE"
+        ]
 
         block_ip2me_cmds = []
 
-        # Add iptables rules to drop all packets destined for loopback interface IP addresses
-        loopback_iface_table = self.config_db.get_table(LOOPBACK_INTERFACE_TABLE_NAME)
-        if loopback_iface_table:
-            for key, _ in loopback_iface_table.iteritems():
-                if not _ip_prefix_in_key(key):
-                    continue
-                iface_name, iface_cidr = key
-                ip_ntwrk = ipaddress.ip_network(iface_cidr, strict=False)
-                if isinstance(ip_ntwrk, ipaddress.IPv4Network):
-                    block_ip2me_cmds.append("iptables -A INPUT -d {}/{} -j DROP".format(ip_ntwrk.network_address, ip_ntwrk.max_prefixlen))
-                elif isinstance(ip_ntwrk, ipaddress.IPv6Network):
-                    block_ip2me_cmds.append("ip6tables -A INPUT -d {}/{} -j DROP".format(ip_ntwrk.network_address, ip_ntwrk.max_prefixlen))
-                else:
-                    log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_ntwrk))
-
-        # Add iptables rules to drop all packets destined for management interface IP addresses
-        mgmt_iface_table = self.config_db.get_table(MGMT_INTERFACE_TABLE_NAME)
-        if mgmt_iface_table:
-            for key, _ in mgmt_iface_table.iteritems():
-                if not _ip_prefix_in_key(key):
-                    continue
-                iface_name, iface_cidr = key
-                ip_ntwrk = ipaddress.ip_network(iface_cidr, strict=False)
-                if isinstance(ip_ntwrk, ipaddress.IPv4Network):
-                    block_ip2me_cmds.append("iptables -A INPUT -d {}/{} -j DROP".format(ip_ntwrk.network_address, ip_ntwrk.max_prefixlen))
-                elif isinstance(ip_ntwrk, ipaddress.IPv6Network):
-                    block_ip2me_cmds.append("ip6tables -A INPUT -d {}/{} -j DROP".format(ip_ntwrk.network_address, ip_ntwrk.max_prefixlen))
-                else:
-                    log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_ntwrk))
-
-        # Add iptables rules to drop all packets destined for our VLAN interface gateway IP addresses
-        vlan_iface_table = self.config_db.get_table(VLAN_INTERFACE_TABLE_NAME)
-        if vlan_iface_table:
-            for key, _ in vlan_iface_table.iteritems():
-                if not _ip_prefix_in_key(key):
-                    continue
-                iface_name, iface_cidr = key
-                ip_ntwrk = ipaddress.ip_network(iface_cidr, strict=False)
-                first_host = next(ip_ntwrk.hosts())
-                if isinstance(ip_ntwrk, ipaddress.IPv4Network):
-                    block_ip2me_cmds.append("iptables -A INPUT -d {}/{} -j DROP".format(first_host, ip_ntwrk.max_prefixlen))
-                elif isinstance(ip_ntwrk, ipaddress.IPv6Network):
-                    block_ip2me_cmds.append("ip6tables -A INPUT -d {}/{} -j DROP".format(first_host, ip_ntwrk.max_prefixlen))
-                else:
-                    log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_ntwrk))
-
-        # Add iptables rules to drop all packets destined for point-to-point interface IP addresses
-        # (All portchannel interfaces and configured front-panel interfaces)
-        portchannel_iface_table = self.config_db.get_table(PORTCHANNEL_INTERFACE_TABLE_NAME)
-        if portchannel_iface_table:
-            for key, _ in portchannel_iface_table.iteritems():
-                if not _ip_prefix_in_key(key):
-                    continue
-                iface_name, iface_cidr = key
-                ip_ntwrk = ipaddress.ip_network(iface_cidr, strict=False)
-                if isinstance(ip_ntwrk, ipaddress.IPv4Network):
-                    block_ip2me_cmds.append("iptables -A INPUT -d {}/{} -j DROP".format(ip_ntwrk.network_address, ip_ntwrk.max_prefixlen))
-                elif isinstance(ip_ntwrk, ipaddress.IPv6Network):
-                    block_ip2me_cmds.append("ip6tables -A INPUT -d {}/{} -j DROP".format(ip_ntwrk.network_address, ip_ntwrk.max_prefixlen))
-                else:
-                    log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_ntwrk))
-
-        iface_table = self.config_db.get_table(INTERFACE_TABLE_NAME)
-        if iface_table:
-            for key, _ in iface_table.iteritems():
-                if not _ip_prefix_in_key(key):
-                    continue
-                iface_name, iface_cidr = key
-                ip_ntwrk = ipaddress.ip_network(iface_cidr, strict=False)
-                if isinstance(ip_ntwrk, ipaddress.IPv4Network):
-                    block_ip2me_cmds.append("iptables -A INPUT -d {}/{} -j DROP".format(ip_ntwrk.network_address, ip_ntwrk.max_prefixlen))
-                elif isinstance(ip_ntwrk, ipaddress.IPv6Network):
-                    block_ip2me_cmds.append("ip6tables -A INPUT -d {}/{} -j DROP".format(ip_ntwrk.network_address, ip_ntwrk.max_prefixlen))
-                else:
-                    log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_ntwrk))
+        # Add iptables rules to drop all packets destined for peer-to-peer interface IP addresses
+        for iface_table_name in INTERFACE_TABLE_NAME_LIST:
+            iface_table = self.config_db.get_table(iface_table_name)
+            if iface_table:
+                for key, _ in iface_table.iteritems():
+                    if not _ip_prefix_in_key(key):
+                        continue
+
+                    iface_name, iface_cidr = key
+                    ip_ntwrk = ipaddress.ip_network(iface_cidr, strict=False)
+
+                    # For VLAN interfaces, the IP address we want to block is the default gateway (i.e.,
+                    # the first available host IP address of the VLAN subnet)
+                    ip_addr = next(ip_ntwrk.hosts()) if iface_table_name == "VLAN_INTERFACE" else ip_ntwrk.network_address
+
+                    if isinstance(ip_ntwrk, ipaddress.IPv4Network):
+                        block_ip2me_cmds.append("iptables -A INPUT -d {}/{} -j DROP".format(ip_addr, ip_ntwrk.max_prefixlen))
+                    elif isinstance(ip_ntwrk, ipaddress.IPv6Network):
+                        block_ip2me_cmds.append("ip6tables -A INPUT -d {}/{} -j DROP".format(ip_addr, ip_ntwrk.max_prefixlen))
+                    else:
+                        log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_ntwrk))
 
         return block_ip2me_cmds
 

platform/broadcom/docker-syncd-brcm.mk

@@ -12,8 +12,8 @@ $(DOCKER_SYNCD_BASE)_DBG_DEPENDS += $(SYNCD_DBG) \
                                 $(LIBSAIREDIS_DBG)
 
 $(DOCKER_SYNCD_BASE)_RUN_OPT += -v /host/warmboot:/var/warmboot
-$(DOCKER_SYNCD_BASE)_RUN_OPT += -v /var/run/docker-syncd:/var/run/sswsyncd
 
 $(DOCKER_SYNCD_BASE)_BASE_IMAGE_FILES += bcmcmd:/usr/bin/bcmcmd
 $(DOCKER_SYNCD_BASE)_BASE_IMAGE_FILES += bcmsh:/usr/bin/bcmsh
+$(DOCKER_SYNCD_BASE)_BASE_IMAGE_FILES += bcm_common:/usr/bin/bcm_common
 $(DOCKER_SYNCD_BASE)_BASE_IMAGE_FILES += monit_syncd:/etc/monit/conf.d

platform/broadcom/docker-syncd-brcm/base_image_files/bcm_common

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+function help()
+{
+    echo "Usage: $0 -n [0 to $(($NUM_ASIC-1))]" 1>&2; exit 1;
+
+}
+
+
+DEV=""
+
+PLATFORM=`sonic-cfggen -H -v DEVICE_METADATA.localhost.platform`
+
+# Parse the device specific asic conf file, if it exists
+
+ASIC_CONF=/usr/share/sonic/device/$PLATFORM/asic.conf
+if [ -f "$ASIC_CONF" ]; then
+    source $ASIC_CONF
+fi
+
+
+if [[ ($NUM_ASIC -gt 1) ]]; then
+    OPTIND=1
+
+    while getopts ":n:h:" opt; do
+        case "${opt}" in
+            h) help
+               exit 0
+               ;;
+            n) DEV=${OPTARG}
+               [ $DEV -lt $NUM_ASIC -a  $DEV -ge 0 ] || help
+               ;;
+        esac
+    done
+    shift "$((OPTIND-1))"
+
+    if [ -z "${DEV}" ]; then
+        help
+    fi
+fi

platform/broadcom/docker-syncd-brcm/base_image_files/bcmcmd

@@ -1,3 +1,8 @@
 #!/bin/bash
 
-docker exec -i syncd bcmcmd "$@"
+BCM_COMMON=/usr/bin/bcm_common
+if [ -f "$BCM_COMMON" ]; then
+    source $BCM_COMMON
+fi
+docker exec -i syncd$DEV bcmcmd "$@"
+

platform/broadcom/docker-syncd-brcm/base_image_files/bcmsh

@@ -1,3 +1,8 @@
 #!/bin/bash
 
-docker exec -it syncd bcmsh "$@"
+BCM_COMMON=/usr/bin/bcm_common
+if [ -f "$BCM_COMMON" ]; then
+    source $BCM_COMMON
+fi
+
+docker exec -it syncd$DEV bcmsh "$@"

platform/broadcom/sai.mk

@@ -1,8 +1,8 @@
-BRCM_SAI = libsaibcm_3.7.5.1-1_amd64.deb
-$(BRCM_SAI)_URL = "https://sonicstorage.blob.core.windows.net/packages/bcmsai/3.7/libsaibcm_3.7.5.1-1_amd64.deb?sv=2015-04-05&sr=b&sig=cxmXsJ%2BjcnR9ckFRbMigIbkzOncYkiV04weL%2FVPKBmk%3D&se=2034-03-06T00%3A30%3A30Z&sp=r"
-BRCM_SAI_DEV = libsaibcm-dev_3.7.5.1-1_amd64.deb
+BRCM_SAI = libsaibcm_3.7.5.1-2_amd64.deb
+$(BRCM_SAI)_URL = "https://sonicstorage.blob.core.windows.net/packages/bcmsai/3.7/libsaibcm_3.7.5.1-2_amd64.deb?sv=2015-04-05&sr=b&sig=NMXmDm7ME%2BDN9n4kw6wXgIVmIjRifu%2FWV0UbLU9qllw%3D&se=2034-03-17T05%3A53%3A29Z&sp=r"
+BRCM_SAI_DEV = libsaibcm-dev_3.7.5.1-2_amd64.deb
 $(eval $(call add_derived_package,$(BRCM_SAI),$(BRCM_SAI_DEV)))
-$(BRCM_SAI_DEV)_URL = "https://sonicstorage.blob.core.windows.net/packages/bcmsai/3.7/libsaibcm-dev_3.7.5.1-1_amd64.deb?sv=2015-04-05&sr=b&sig=LVgghAv75VG4idW6xfpId%2FlrvPBja7uBQeTbjZsR3CA%3D&se=2034-03-06T00%3A31%3A30Z&sp=r"
+$(BRCM_SAI_DEV)_URL = "https://sonicstorage.blob.core.windows.net/packages/bcmsai/3.7/libsaibcm-dev_3.7.5.1-2_amd64.deb?sv=2015-04-05&sr=b&sig=3Q8S5fwg7WV%2BCKVwMALrf8dpQWK2cSD4J4zxbVht%2BT8%3D&se=2034-03-17T05%3A54%3A05Z&sp=r"
 
 SONIC_ONLINE_DEBS += $(BRCM_SAI)
 $(BRCM_SAI_DEV)_DEPENDS += $(BRCM_SAI)

platform/nephos/rules.mk

@@ -23,7 +23,7 @@ SONIC_ONLINE_FILES += $(NPX_DIAG) $(WARM_VERIFIER) $(DSSERVE)
 SONIC_ALL += $(SONIC_ONE_IMAGE) $(DOCKER_FPM)
 
 # Inject nephos sai into sairedis
-$(LIBSAIREDIS)_DEPENDS += $(NEPHOS_SAI) $(NEPHOS_SAI_DEV)
+$(LIBSAIREDIS)_DEPENDS += $(NEPHOS_SAI) 
 ifeq ($(ENABLE_SYNCD_RPC),y)
 $(LIBSAIREDIS)_DEPENDS += $(LIBSAITHRIFT_DEV)
 endif