Skip to content

Commit

Permalink
[MACsec]: Set MACsec feature to be auto-start (#6678)
Browse files Browse the repository at this point in the history
1. Add supervisord as the entrypoint of docker-macsec
2. Add wpa_supplicant conf into docker-macsec
3. Set the macsecmgrd as the critical_process
4. Configure supervisor to monitor macsecmgrd
5. Set macsec in the features list
6. Add config variable `INCLUDE_MACSEC`
7. Add macsec.service

**- How to verify it**

Change the `/etc/sonic/config_db.json` as follow
```
{
    "PORT": {
        "Ethernet0": {
            ...
            "macsec": "test"
         }
    }
    ...
    "MACSEC_PROFILE": {
        "test": {
            "priority": 64,
            "cipher_suite": "GCM-AES-128",
            "primary_cak": "0123456789ABCDEF0123456789ABCDEF",
            "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
            "policy": "security"
        }
    }
}
```
To execute `sudo config reload -y`, We should find the following new items were inserted in app_db of redis
```
127.0.0.1:6379> keys *MAC*
1) "MACSEC_EGRESS_SC_TABLE:Ethernet0:72152375678227538"
2) "MACSEC_PORT_TABLE:Ethernet0"
127.0.0.1:6379> hgetall "MACSEC_EGRESS_SC_TABLE:Ethernet0:72152375678227538"
1) "ssci"
2) ""
3) "encoding_an"
4) "0"
127.0.0.1:6379> hgetall "MACSEC_PORT_TABLE:Ethernet0"
 1) "enable"
 2) "false"
 3) "cipher_suite"
 4) "GCM-AES-128"
 5) "enable_protect"
 6) "true"
 7) "enable_encrypt"
 8) "true"
 9) "enable_replay_protect"
10) "false"
11) "replay_window"
12) "0"
```

Signed-off-by: Ze Gan <[email protected]>
  • Loading branch information
Pterosaur authored Feb 23, 2021
1 parent 8ec7580 commit 4068944
Show file tree
Hide file tree
Showing 10 changed files with 75 additions and 5 deletions.
3 changes: 2 additions & 1 deletion dockers/docker-macsec/Dockerfile.j2
Original file line number Diff line number Diff line change
Expand Up @@ -26,5 +26,6 @@ COPY ["start.sh", "/usr/bin/"]
COPY ["supervisord.conf", "/etc/supervisor/conf.d/"]
COPY ["files/supervisor-proc-exit-listener", "/usr/bin"]
COPY ["critical_processes", "/etc/supervisor"]
COPY ["etc/wpa_supplicant.conf", "/etc/wpa_supplicant.conf"]

# ENTRYPOINT ["/usr/bin/supervisord"]
ENTRYPOINT ["/usr/local/bin/supervisord"]
1 change: 1 addition & 0 deletions dockers/docker-macsec/critical_processes
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
program:macsecmgrd
3 changes: 3 additions & 0 deletions dockers/docker-macsec/etc/wpa_supplicant.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
eapol_version=3
ap_scan=0
fast_reauth=1
38 changes: 38 additions & 0 deletions dockers/docker-macsec/supervisord.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
[supervisord]
logfile_maxbytes=1MB
logfile_backups=2
nodaemon=true

[eventlistener:dependent-startup]
command=python3 -m supervisord_dependent_startup
autostart=true
autorestart=unexpected
startretries=0
exitcodes=0,3
events=PROCESS_STATE
buffer_size=25

[eventlistener:supervisor-proc-exit-listener]
command=/usr/bin/supervisor-proc-exit-listener --container-name macsec
events=PROCESS_STATE_EXITED,PROCESS_STATE_RUNNING
autostart=true
autorestart=unexpected

[program:rsyslogd]
command=/usr/sbin/rsyslogd -n -iNONE
priority=1
autostart=false
autorestart=false
stdout_logfile=syslog
stderr_logfile=syslog
dependent_startup=true

[program:macsecmgrd]
command=/usr/bin/macsecmgrd
priority=2
autostart=false
autorestart=false
stdout_logfile=syslog
stderr_logfile=syslog
dependent_startup=true
dependent_startup_wait_for=rsyslogd:running
1 change: 1 addition & 0 deletions files/build_templates/init_cfg.json.j2
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
{%- if include_nat == "y" %}{% do features.append(("nat", "disabled", false, "enabled")) %}{% endif %}
{%- if include_restapi == "y" %}{% do features.append(("restapi", "enabled", false, "enabled")) %}{% endif %}
{%- if include_sflow == "y" %}{% do features.append(("sflow", "disabled", false, "enabled")) %}{% endif %}
{%- if include_macsec == "y" %}{% do features.append(("macsec", "disabled", false, "enabled")) %}{% endif %}
{%- if include_system_telemetry == "y" %}{% do features.append(("telemetry", "enabled", true, "enabled")) %}{% endif %}
"FEATURE": {
{# has_timer field if set, will start the feature systemd .timer unit instead of .service unit #}
Expand Down
17 changes: 17 additions & 0 deletions files/build_templates/macsec.service.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
[Unit]
Description=MACsec container
Requires=swss.service
After=swss.service syncd.service
StartLimitIntervalSec=1200
StartLimitBurst=3

[Service]
User=root
ExecStartPre=/usr/bin/macsec.sh start
ExecStart=/usr/bin/macsec.sh wait
ExecStop=/usr/bin/macsec.sh stop
Restart=always
RestartSec=30

[Install]
WantedBy=multi-user.target
3 changes: 3 additions & 0 deletions rules/config
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,9 @@ INCLUDE_NAT = y
# run as worker node in kubernetes cluster.
INCLUDE_KUBERNETES = n

# INCLUDE_MACSEC - build docker-macsec for macsec support
INCLUDE_MACSEC = y

# KUBERNETES_VERSION - Set to the required version.
# K8s_GCR_IO_PAUSE_VERSION - Version of k8s universal pause container image
# These are Used *only* when INCLUDE_KUBERNETES=y
Expand Down
7 changes: 4 additions & 3 deletions rules/docker-macsec.mk
Original file line number Diff line number Diff line change
Expand Up @@ -16,17 +16,18 @@ $(DOCKER_MACSEC)_DBG_IMAGE_PACKAGES = $($(DOCKER_CONFIG_ENGINE_BUSTER)_DBG_IMAGE
$(DOCKER_MACSEC)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_BUSTER)

SONIC_DOCKER_IMAGES += $(DOCKER_MACSEC)
ifeq ($(INCLUDE_MACSEC), y)
SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_MACSEC)
SONIC_BUSTER_DOCKERS += $(DOCKER_MACSEC)
endif

SONIC_DOCKER_DBG_IMAGES += $(DOCKER_MACSEC_DBG)
ifeq ($(INCLUDE_MACSEC), y)
SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_MACSEC_DBG)
SONIC_BUSTER_DBG_DOCKERS += $(DOCKER_MACSEC_DBG)
endif

$(DOCKER_MACSEC)_CONTAINER_NAME = macsec
$(DOCKER_MACSEC)_RUN_OPT += --privileged -t
$(DOCKER_MACSEC)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro
$(DOCKER_MACSEC)_RUN_OPT += -v /host/warmboot:/var/warmboot

# $(DOCKER_MACSEC)_BASE_IMAGE_FILES += macsecctl:/usr/bin/macsecctl
$(DOCKER_MACSEC)_FILES += $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)
5 changes: 5 additions & 0 deletions slave.mk
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,9 @@ ifeq ($(SONIC_INCLUDE_NAT),y)
INCLUDE_NAT = y
endif

ifeq ($(SONIC_INCLUDE_MACSEC),y)
INCLUDE_MACSEC = y
endif

include $(RULES_PATH)/functions

Expand Down Expand Up @@ -252,6 +255,7 @@ $(info "INCLUDE_RESTAPI" : "$(INCLUDE_RESTAPI)")
$(info "INCLUDE_SFLOW" : "$(INCLUDE_SFLOW)")
$(info "INCLUDE_NAT" : "$(INCLUDE_NAT)")
$(info "INCLUDE_KUBERNETES" : "$(INCLUDE_KUBERNETES)")
$(info "INCLUDE_MACSEC" : "$(INCLUDE_MACSEC)")
$(info "TELEMETRY_WRITABLE" : "$(TELEMETRY_WRITABLE)")
$(info "PDDF_SUPPORT" : "$(PDDF_SUPPORT)")
$(info )
Expand Down Expand Up @@ -892,6 +896,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
export include_restapi="$(INCLUDE_RESTAPI)"
export include_nat="$(INCLUDE_NAT)"
export include_sflow="$(INCLUDE_SFLOW)"
export include_macsec="$(INCLUDE_MACSEC)"
export include_mgmt_framework="$(INCLUDE_MGMT_FRAMEWORK)"
export include_iccpd="$(INCLUDE_ICCPD)"
export pddf_support="$(PDDF_SUPPORT)"
Expand Down
2 changes: 1 addition & 1 deletion src/wpasupplicant/sonic-wpa-supplicant

0 comments on commit 4068944

Please sign in to comment.