-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix tcpdump report error when tacacs enabled. #16372
Conversation
is this tested on 202205 branch? |
why tcpdump needs access to /etc/tacplus_nss.conf? |
the apparmor has local/usr.bin.tcpdump to allow local customization, suggest to use that mechanism instead of modifying this file which is a little bit fragile. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggest to override /etc/apparmor.d/local/usr.bin.tcpdump
Yes, this tested on 202205 branch by copy the modified profile. |
The code of tcpdump will invoke 'getpwnam' API, and nss-tacplus plugin hook this API for TACACS authentication. |
Fixed, validate with new image again and confirm the issue fixed. |
build_debian.sh
Outdated
# latest tcpdump control resource access with AppArmor. | ||
# override tcpdump profile to allow tcpdump access TACACS config file. | ||
if [ -f ${FILESYSTEM_ROOT}/etc/apparmor.d/local/usr.bin.tcpdump ]; then | ||
sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo -e '\n# for access tacacs config\n/etc/tacplus_nss.conf r,\n' > /etc/apparmor.d/local/usr.bin.tcpdump" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there is local file why to add some files in the buildimage, this does not seem to be the standard way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This code is modifying the local file: '/etc/apparmor.d/local/usr.bin.tcpdump'
The local file been created by tcpdump install.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lguohan , Could you please check this PR again? I reply your comments, current code does not add new file in buildimage, when install tcpdump, the package will install a local apparmer profile, and current code will check and modify the local apparmer profile.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the local apparmer profile is empty, right?
it is better to make the local file more deterministic
suggest to use this approach.
sudo cp files/dhcp/rfc3442-classless-routes $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lguohan , thanks, fixed according to your suggestion, please check.
@liuh-80 As the process, if you require backport to 202205, please make sure it could be clean cherry-pick to 202205 locally, test it locally, and add the version string into PR description "Tested branch (Please provide the tested image version)". This PR description process only applies to the earliest branch you want to backport. In reply to: 1712434300 |
ba8e89f
to
7dbb86c
Compare
Fixed, verify this PR can clean cherry-pick to 202205, also tested image version updated. |
@liuh-80 have you tested with 202305? Could you update in the description? |
Verified with SONiC.202305.388563-584c448b2, PR description updated. |
Fix tcpdump report error when tacacs enabled. Why I did it Fix tcpdump report error when tacacs enabled: Sep 1 09:25:18.189395 vlab-01 ERR tcpdump: nss_tacplus: /etc/tacplus_nss.conf fopen failed Sep 1 09:25:18.189606 vlab-01 ERR tcpdump: nss_tacplus: bad config or server line for nss_tacplus This is because debian add a patch create AppArmor profile for resource access control. The profile need update to allow tcpdump access /etc/tacplus_nss.conf. Work item tracking Microsoft ADO: 17667308 How I did it Modify tcpdump AppArmor profile, add new line to allow tcpdump access TACACS config file: /etc/tacplus_nss.conf r,
Cherry-pick PR to 202305: #17077 |
Fix tcpdump report error when tacacs enabled.
Why I did it
Fix tcpdump report error when tacacs enabled:
Sep 1 09:25:18.189395 vlab-01 ERR tcpdump: nss_tacplus: /etc/tacplus_nss.conf fopen failed
Sep 1 09:25:18.189606 vlab-01 ERR tcpdump: nss_tacplus: bad config or server line for nss_tacplus
This is because debian add a patch create AppArmor profile for resource access control. The profile need update to allow tcpdump access /etc/tacplus_nss.conf.
Work item tracking
How I did it
Modify tcpdump AppArmor profile, add new line to allow tcpdump access TACACS config file:
/etc/tacplus_nss.conf r,
How to verify it
Pass all UT.
Manually verify error fixed.
Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
Description for the changelog
Fix tcpdump report error when tacacs enabled.
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)