merge with master #4
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* [slave.mk]: Fix displaying username and password in build summary We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while image can be build with USERNAME and/or PASSWORD given on make(1) command line. For example: $ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin Fix by displaying USERNAME and PASSWORD variables in build summary. Signed-off-by: Sergey Popovich <[email protected]> * [baseimage]: Improve default user account handling There are couple of issues with current implementation of default user account management in baseimage: 1) It uses DES to encrypt accounts password. Furthermore this effectively limits password length to 8 symbols, even if more provided with PASSWORD or DEFAULT_PASSWORD from rules/config. 2) Salt value for password is same on all builds even with different password increasing attack surface. 3) During the build process password passed as command line parameter either as plain text (if given to make(1) as "make PASSWORD=...") or DES encrypted (if given to build_debian.sh) can be seen by non-build users using /proc/<pid>/cmdline file that has group and world readable permissions. Both 1) and 2) come from: perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')" that by defalt uses DES if salt does not have format $<id>$<salt>$, where <id> is hashing function id. See crypt(3) for more details on valid <id> values. To address issues above we propose following changes: 1) Do not create password by hands (e.g. using perl snippet above): put this job to chpasswd(8) which is aware about system wide password hashing policy specified in /etc/login.defs with ENCRYPT_METHOD (by default it is SHA512 for Debian 8). 2) Now chpasswd(8) will take care about proper salt value. 3) This has two steps: 3.1) For compatibility reasons accept USERNAME and PASSWORD as make(1) parameters, but warn user that this is unsafe. 3.2) Use process environment to pass USERNAME and PASSWORD variables from Makefile to build_debian.sh as more secure alternative to passing via command line parameters: /proc/<pid>/environ readable only by user running process or privileged users like root. Before change: -------------- hash1 ----- # u='admin' # p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')" ^^^^^^^^ 8 symbols # echo "$u:$p" | chpasswd -e # getent shadow admin admin:sazQDkwgZPfSk:17680:0:99999:7::: ^^^^^^^^^^^^^ Note the hash (DES encrypted password) hash2 ----- # u='admin' # p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')" ^^^^^^^^^^^^ 12 symbols # echo "$u:$p" | chpasswd -e # getent shadow admin admin:sazQDkwgZPfSk:17680:0:99999:7::: ^^^^^^^^^^^^^ Hash is the same as for "YourPaSs" After change: ------------- hash1 ----- # echo "admin:YourPaSs" | chpasswd # getent shadow admin admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\ ^^^^^^^^ Note salt here ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7::: hash2 ----- # echo "admin:YourPaSs" | chpasswd # getent shadow admin admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\ ^^^^^^^^ Here salt completely different from case above plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7::: Since salt is different hashes for same password different too. hash1 ----- # LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"' ^^^^^ We want SHA512 hash $6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\ yd2ELrIMJ.FQLNjgSD0nNha7/ hash2 ----- # LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"' $6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\ kYDI8zwRumRwga/A29nHm4mZ1 Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but different password length we have different hashes. Signed-off-by: Sergey Popovich <[email protected]>
Signed-off-by: Stepan Blyschak <[email protected]>
Signed-off-by: Stepan Blyschak <[email protected]>
…rdes_firmware_mode_xe=0x1' line (#1779) * Add Broadcom config files for Arista-7050-QX32 and Arista-7050-Q16S64 SKUs under respective directories * Remove 'serdes_firmware_mode_xe=0x1' line from Arista 7050 Broadcom config files
Signed-off-by: Qi Luo <[email protected]>
…an Stretch (#1795) Signed-off-by: Qi Luo <[email protected]>
Fix mirror session destination update bug causing no resources issue Signed-off-by: Shu0T1an ChenG <[email protected]>
Signed-off-by: Qi Luo <[email protected]>
…nds fixed (#1798) Signed-off-by: Denis Maslov <[email protected]>
…ed (#1801) * Manually send SIGHUP to vtysh when the current session was disconnected * Address comments
* First part of skipping not used port for qos configuration * Use active ports only to set QoS parameters for 6100 * Add a test for qos.json.j2 * Add a test for Dell S6100 buffers.json template * Update submodulre
Signed-off-by: Sihui Han <[email protected]>
Signed-off-by: Sihui Han <[email protected]>
…1803) * Enable bgp soft-reconfiguration inbound for quagga templates
After commit 832be7b ("[dockers] Prevent apt-get from installing suggested and recommended packages by default (#1666)") SONiC fails to build when FRR is used for routing stack (e.g. SONIC_ROUTING_STACK is set to frr in rules/config). To fix issue just replicate changes from docker-fpm-quagga to docker-fpm-frr to make dependencies installed correctly after above change to package installing behaviour. Signed-off-by: Sergey Popovich <[email protected]>
…cture and create the profile for t1 (#1709) Move the ingress lossless profile from buffers.json.j2 to pg_profile_lookup.ini Move pool and the rest of the profile from buffers.json.j2 to buffers_defaults_t1.j2 Add port speed info in port_config.ini Make buffers_default_t1.j2 the default profile in buffers.json.j2 Signed-off-by: Wenda Ni <[email protected]>
This apply to arista_7050_qx32 and arista_7050_qx32s.
SAI 1.12.0 SDK 4.2.8103 FW 13.1701.0008 Signed-off-by: Stepan Blyschak <[email protected]>
* Update sensors.conf for 7050QX-32 and 7050QX-32S These two platforms were using a previous version of a kernel driver. The new one names the i2c buses differently. We therefore need to rename them here. * Fix the default minigraph for the 7050QX-32S The interface offset is invalid which makes sonic-cfggen generate an invalid config_db.jon in rc.local. This config then silently makes orchagent/syncd fail. * Use the partition on which sonic-aboot.swi is Instead of always assuming /mnt/flash, use the partition where the image to be installed lies. This allow for the image to be on any partition.
Fixes in bufferorchs ready_lists
* Add function pointers for extended get stats API Signed-off-by: Guohan Lu <[email protected]>
This commit updates the shared headroom value for z9100 T0 and T1 profile based on the ratio. The ratio is derived from the 40G broadcom recommended XL Sheet. Unit tested the above configuration by dumping the registers for the shared headroom. The shared headroom values in registers reflects the correct new values for both T1 and T0. Signed-off-by: Harish Venkatraman <[email protected]>
Signed-off-by: Andriy Moroz <[email protected]>
Signed-off-by: Volodymyr Samotiy <[email protected]>
* sonic-quagga update. Don't spam with 'Vtysh connected from' message * Restart counters in 60 seconds after manual swss restart
Signed-off-by: Ying Xie <[email protected]>
Signed-off-by: Guohan Lu <[email protected]>
Signed-off-by: Qi Luo <[email protected]>
* [swss]: sonic-swss submodule update Signed-off-by: Guohan Lu <[email protected]> * [broadcom]: update sai.mk Signed-off-by: Guohan Lu <[email protected]>
Signed-off-by: Guohan Lu <[email protected]>
Signed-off-by: Sihui Han <[email protected]>
* Wait initializing led_proc for 60 seconds. bcm sdk need time to be ready accept a connection
* Run arp_update just once, don't restart it. It will run continuosly with 5 min pauses
|
merge with master |
simonJi2018
pushed a commit
that referenced
this pull request
Aug 22, 2018
Update package revision Create submodule for sources Signed-off-by: marian-pritsak <[email protected]>
simonJi2018
pushed a commit
that referenced
this pull request
Aug 22, 2018
Update package revision Create submodule for sources Signed-off-by: marian-pritsak <[email protected]>
simonJi2018
pushed a commit
that referenced
this pull request
May 14, 2019
…c-net#2832) * Base DHCP relay Docker image on Strech base Docker * Change URL for isc-dhcp source repository * Upgrade isc-dhcp source branch to 4.3.5-3.1 * Update patch #1 to apply to isc-dhcp 4.3.5-3.1 * Update patch #2 to apply to isc-dhcp 4.3.5-3.1 * Update patch #3 to apply to isc-dhcp 4.3.5-3.1 * Update patch #4 to apply to isc-dhcp 4.3.5-3.1 * Remove security patches, as they are now applied as part of 4.3.5-3.1 source * Reorder patches to apply bug fix first, then features * Extend makefile to build debug Docker image * Update commit that series file applies against
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
- What I did
- How I did it
- How to verify it
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)