From 676ebe40a57212b1119efdb7a17a7a16bdfc40cb Mon Sep 17 00:00:00 2001
From: ryanzhu706 <ryanzhu@microsoft.com>
Date: Mon, 3 Jun 2024 15:57:32 -0700
Subject: [PATCH] Add a check for ensuring mirror session ACLs are programmed
 to ASIC (#3333)

Description
Add a check for ensuring mirror session ACLs are programmed to ASIC

What is the issue?
This fix is to address an issue where an ACL is added to CONFIG_DB, but before it could be programmed to ASIC, Orchagent is paused.
This leads to APPLY_VIEW failure when base image OA could not process this ACL entry and target image's OA still creates it.
The issue has an image fix available at sonic-net/sonic-sairedis#1240
This issue is very rare, and has been caught by upgrade path tests only once in thousands of iterations.

What is this fix?
A new logic is added to check if mirror session ACLs for arp and nd are added to ASIC..
ACLs are looked into ASIC_DB and matched using SAI_ACL_ENTRY_ATTR_PRIORITY attribute.
SAI_ACL_ENTRY_ATTR_PRIORITY for arp ACL is 8888 and for nd is 8887
If one of the ACLs is found missing then warmboot is aborted.

Tested on physical testbed running 202311 and master
---
 scripts/fast-reboot | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/scripts/fast-reboot b/scripts/fast-reboot
index ab3d075fd8..53dcffd7d2 100755
--- a/scripts/fast-reboot
+++ b/scripts/fast-reboot
@@ -50,6 +50,7 @@ EXIT_NO_CONTROL_PLANE_ASSISTANT=20
 EXIT_SONIC_INSTALLER_VERIFY_REBOOT=21
 EXIT_PLATFORM_FW_AU_FAILURE=22
 EXIT_TEAMD_RETRY_COUNT_FAILURE=23
+EXIT_NO_MIRROR_SESSION_ACLS=24
 
 function error()
 {
@@ -283,6 +284,47 @@ function backup_database()
     fi
 }
 
+function check_mirror_session_acls()
+{
+    debug "Checking if mirror session ACLs (arp, nd) programmed to ASIC successfully"
+    ACL_ARP="missing"
+    ACL_ND="missing"
+    start_time=${SECONDS}
+    elapsed_time=$((${SECONDS} - ${start_time}))
+    while [[ ${elapsed_time} -lt 10 ]]; do
+	CHECK_ACL_ENTRIES=0
+        ACL_OUTPUT=$(sonic-db-cli ASIC_DB KEYS "*" | grep SAI_OBJECT_TYPE_ACL_ENTRY) || CHECK_ACL_ENTRIES=$?
+	if [[ ${CHECK_ACL_ENTRIES} -ne 0 ]]; then
+	    error "Failed to retrieve SAI_OBJECT_TYPE_ACL_ENTRY from redis"
+	    exit ${EXIT_NO_MIRROR_SESSION_ACLS}
+	fi
+	ACL_ENTRIES=( ${ACL_OUTPUT} )
+	if [[ ${#ACL_ENTRIES[@]} -eq 0 ]]; then
+	    error "NO SAI_OBJECT_TYPE_ACL_ENTRY objects found"
+	    exit ${EXIT_NO_MIRROR_SESSION_ACLS}
+	fi
+        for ACL_ENTRY in ${ACL_ENTRIES[@]}; do
+            ACL_PRIORITY=$(sonic-db-cli ASIC_DB HGET ${ACL_ENTRY} SAI_ACL_ENTRY_ATTR_PRIORITY)
+            if [[ ${ACL_PRIORITY} -eq 8888 ]]; then
+                ACL_ARP="found"
+            fi
+            if [[ ${ACL_PRIORITY} -eq 8887 ]]; then
+                ACL_ND="found"
+            fi
+        done
+        if [[ "${ACL_ARP}" = "found" && "${ACL_ND}" = "found" ]]; then
+            break
+        fi
+        sleep 0.1
+        elapsed_time=$((${SECONDS} - ${start_time}))
+    done
+    if [[ "${ACL_ARP}" != "found" || "${ACL_ND}" != "found" ]]; then
+        debug "Failed to program mirror session ACLs on ASIC. ACLs: ARP=${ACL_ARP} ND=${ACL_ND}"
+        exit ${EXIT_NO_MIRROR_SESSION_ACLS}
+    fi
+    debug "Mirror session ACLs (arp, nd) programmed to ASIC successfully"
+}
+
 function setup_control_plane_assistant()
 {
     if [[ -n "${ASSISTANT_IP_LIST}" && -x ${ASSISTANT_SCRIPT} ]]; then
@@ -290,6 +332,7 @@ function setup_control_plane_assistant()
         if [[ "${HWSKU}" != "DellEMC-Z9332f-M-O16C64" && "${HWSKU}" != "DellEMC-Z9332f-M-O16C64-lab" ]]; then
             debug "Setting up control plane assistant: ${ASSISTANT_IP_LIST} ..."
             ${ASSISTANT_SCRIPT} -s ${ASSISTANT_IP_LIST} -m set
+	    check_mirror_session_acls
         else
             debug "${HWSKU} Not capable to support CPA. Skipping gracefully ..."
         fi