Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Skip the validation of action in acl-loader if capability table in STATE_DB is empty #3199

Merged
merged 2 commits into from
Mar 11, 2024
Merged

Skip the validation of action in acl-loader if capability table in STATE_DB is empty #3199

merged 2 commits into from
Mar 11, 2024

Conversation

bingwang-ms
Copy link
Contributor

@bingwang-ms bingwang-ms commented Mar 8, 2024
edited
Loading

What I did

This PR is to fix a racing condition in system bootup path.

In the system bootup path, config-setup service will call config load_minigraph if it's the first startup, and then /etc/sonic/acl.json is loaded by config load_minigraph.

If orchagent hasn't written ACL_STAGE_CAPABILITY_TABLE or SWITCH_CAPABILITY_TABLE into STATE_DB before being terminated, then the dataplane ACL rules defined in /etc/sonic/acl.json is skipped.

This PR is to fix the racing condition by adding an option skip_action_validation to acl-loader. If the option skip_action_validation is true, and ACL_STAGE_CAPABILITY_TABLE or SWITCH_CAPABILITY_TABLE is empty, the action validation is skipped.

How I did it

This PR added an option skip_action_validation to acl-loader. If the option skip_action_validation is true, and ACL_STAGE_CAPABILITY_TABLE or SWITCH_CAPABILITY_TABLE is empty, the action validation is skipped.

How to verify it

  1. Verified by UT
  2. Verified by running on a physical testbed.
Mar  8 21:37:37.397041 str2-msn2700-spy-2 INFO config-setup[2603]: Use minigraph.xml from old system...
Mar  8 21:37:37.399330 str2-msn2700-spy-2 INFO config-setup[2603]: Reloading minigraph...
Mar  8 21:37:39.179990 str2-msn2700-spy-2 INFO config-setup[2701]: Running command: /usr/local/bin/sonic-cfggen -H -m -j /etc/sonic/init_cfg.json --write-to-db
Mar  8 21:37:44.390483 str2-msn2700-spy-2 INFO config-setup[2701]: Running command: /usr/local/bin/sonic-cfggen -d -y /etc/sonic/sonic_version.yml -t /usr/share/sonic/templates/sonic-environment.j2,/etc/sonic/sonic-environment
Mar  8 21:37:44.897351 str2-msn2700-spy-2 INFO config-setup[2701]: Running command: acl-loader update full /etc/sonic/acl.json --skip_action_validation
Mar  8 21:37:45.353639 str2-msn2700-spy-2 INFO config-setup[2701]: Warning: Skipped action validation as capability table is not present in STATE_DB
Mar  8 21:37:45.354330 str2-msn2700-spy-2 INFO config-setup[2701]: Running command: config qos reload --no-dynamic-buffer --no-delay
Mar  8 21:37:47.266357 str2-msn2700-spy-2 INFO config-setup[2701]: Running command: /usr/local/bin/sonic-cfggen -d --write-to-db -t /usr/share/sonic/device/x86_64-mlnx_msn2700-r0/Mellanox-SN2700/buffers.json.j2,config-db -t /usr/share/sonic/device/x86_64-mlnx_msn2700-r0/Mellanox-SN2700/qos.json.j2,config-db -y /etc/sonic/sonic_version.yml
Mar  8 21:37:47.266489 str2-msn2700-spy-2 INFO config-setup[2701]: Buffer calculation model updated, restarting swss is required to take effect
Mar  8 21:37:47.769088 str2-msn2700-spy-2 INFO config-setup[2701]: Running command: pfcwd start_default
Mar  8 21:37:48.741003 str2-msn2700-spy-2 INFO config-setup[2701]: Please note setting loaded from minigraph will be lost after system reboot. To preserve setting, run `config save`.
Mar  8 21:37:49.586524 str2-msn2700-spy-2 INFO config-setup[5379]: Running command: /usr/local/bin/sonic-cfggen -d --print-data > /etc/sonic/config_db.json
Mar  8 21:37:50.738952 str2-msn2700-spy-2 INFO config-setup[5391]: True

The rules are loaded successfully after reloading.

admin@str2-msn2700-spy-2:~$ show acl rule
Table    Rule          Priority    Action    Match               Status
-------  ------------  ----------  --------  ------------------  --------
DATAACL  RULE_1        9999        DROP      DST_IP: 9.5.9.3/32  Active
                                             ETHER_TYPE: 2048
DATAACL  DEFAULT_RULE  1           DROP      ETHER_TYPE: 2048    Active

Previous command output (if the output of a command-line utility has changed)

admin@str2-msn2700-spy-2:~$ acl-loader update full --help
Usage: acl-loader update full [OPTIONS] FILENAME

  Full update of ACL rules configuration. If a table_name is provided, the
  operation will be restricted in the specified table.

Options:
  --table_name TEXT
  --session_name TEXT
  --mirror_stage [ingress|egress]
  --max_priority INTEGER
  --help                          Show this message and exit.

New command output (if the output of a command-line utility has changed)

The help info changed.

admin@str2-msn2700-spy-2:~$ acl-loader update full --help
Usage: acl-loader update full [OPTIONS] FILENAME

  Full update of ACL rules configuration. If a table_name is provided, the
  operation will be restricted in the specified table.

Options:
  --table_name TEXT
  --session_name TEXT
  --mirror_stage [ingress|egress]
  --max_priority INTEGER
  --skip_action_validation        Skip action validation
  --help                          Show this message and exit.

@bingwang-ms
Copy link
Contributor Author

MSADO 27110039

@bingwang-ms bingwang-ms merged commit 7466dc4 into sonic-net:master Mar 11, 2024
5 checks passed
@StormLiangMS
Copy link
Contributor

hi @bingwang-ms, could you run test with 202305 image?

mssonicbld pushed a commit to mssonicbld/sonic-utilities that referenced this pull request Mar 11, 2024
@bingwang-ms @mssonicbld
Skip the validation of action in acl-loader if capability table in ST…
106c23f 
…ATE_DB is empty (sonic-net#3199)

* Add skip_action_validation option to acl-loader
@mssonicbld mssonicbld mentioned this pull request Mar 11, 2024
Merged
@mssonicbld
Copy link
Collaborator

Cherry-pick PR to 202311: #3207

@bingwang-ms
Copy link
Contributor Author

hi @bingwang-ms, could you run test with 202305 image?

Yes, the test has been done on 202305 image by manually cherry-pick and run the image upgrade.

mssonicbld pushed a commit that referenced this pull request Mar 11, 2024
@bingwang-ms @mssonicbld
Skip the validation of action in acl-loader if capability table in ST…
c68f4b1 
…ATE_DB is empty (#3199)

* Add skip_action_validation option to acl-loader
mssonicbld pushed a commit to mssonicbld/sonic-utilities that referenced this pull request Mar 13, 2024
@bingwang-ms @mssonicbld
Skip the validation of action in acl-loader if capability table in ST…
7bf73c6 
…ATE_DB is empty (sonic-net#3199)

* Add skip_action_validation option to acl-loader
@mssonicbld mssonicbld mentioned this pull request Mar 13, 2024
Merged
@mssonicbld
Copy link
Collaborator

Cherry-pick PR to 202305: #3214

mssonicbld pushed a commit that referenced this pull request Mar 13, 2024
@bingwang-ms @mssonicbld
Skip the validation of action in acl-loader if capability table in ST…
8bde9cf 
…ATE_DB is empty (#3199)

* Add skip_action_validation option to acl-loader
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Blueve Blueve Blueve approved these changes

@lizhijianrd lizhijianrd lizhijianrd approved these changes

@yxieca yxieca Awaiting requested review from yxieca

Assignees
No one assigned
Labels
Approved for 202305 Branch Approved for 202311 Branch Included in 202305 Branch Included in 202311 Branch Request for 202305 Branch Request for 202311 Branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@bingwang-ms @StormLiangMS @mssonicbld @Blueve @lizhijianrd @yxieca