From 4068944202048b9018ee1f81d8198aed8ef552bf Mon Sep 17 00:00:00 2001 From: Ze Gan Date: Wed, 24 Feb 2021 05:22:45 +0800 Subject: [PATCH] [MACsec]: Set MACsec feature to be auto-start (#6678) 1. Add supervisord as the entrypoint of docker-macsec 2. Add wpa_supplicant conf into docker-macsec 3. Set the macsecmgrd as the critical_process 4. Configure supervisor to monitor macsecmgrd 5. Set macsec in the features list 6. Add config variable `INCLUDE_MACSEC` 7. Add macsec.service **- How to verify it** Change the `/etc/sonic/config_db.json` as follow ``` { "PORT": { "Ethernet0": { ... "macsec": "test" } } ... "MACSEC_PROFILE": { "test": { "priority": 64, "cipher_suite": "GCM-AES-128", "primary_cak": "0123456789ABCDEF0123456789ABCDEF", "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435", "policy": "security" } } } ``` To execute `sudo config reload -y`, We should find the following new items were inserted in app_db of redis ``` 127.0.0.1:6379> keys *MAC* 1) "MACSEC_EGRESS_SC_TABLE:Ethernet0:72152375678227538" 2) "MACSEC_PORT_TABLE:Ethernet0" 127.0.0.1:6379> hgetall "MACSEC_EGRESS_SC_TABLE:Ethernet0:72152375678227538" 1) "ssci" 2) "" 3) "encoding_an" 4) "0" 127.0.0.1:6379> hgetall "MACSEC_PORT_TABLE:Ethernet0" 1) "enable" 2) "false" 3) "cipher_suite" 4) "GCM-AES-128" 5) "enable_protect" 6) "true" 7) "enable_encrypt" 8) "true" 9) "enable_replay_protect" 10) "false" 11) "replay_window" 12) "0" ``` Signed-off-by: Ze Gan --- dockers/docker-macsec/Dockerfile.j2 | 3 +- dockers/docker-macsec/critical_processes | 1 + dockers/docker-macsec/etc/wpa_supplicant.conf | 3 ++ dockers/docker-macsec/supervisord.conf | 38 +++++++++++++++++++ files/build_templates/init_cfg.json.j2 | 1 + files/build_templates/macsec.service.j2 | 17 +++++++++ rules/config | 3 ++ rules/docker-macsec.mk | 7 ++-- slave.mk | 5 +++ src/wpasupplicant/sonic-wpa-supplicant | 2 +- 10 files changed, 75 insertions(+), 5 deletions(-) create mode 100644 dockers/docker-macsec/etc/wpa_supplicant.conf create mode 100644 files/build_templates/macsec.service.j2 diff --git a/dockers/docker-macsec/Dockerfile.j2 b/dockers/docker-macsec/Dockerfile.j2 index bf8db48079e0..9bbfd69e8d5b 100644 --- a/dockers/docker-macsec/Dockerfile.j2 +++ b/dockers/docker-macsec/Dockerfile.j2 @@ -26,5 +26,6 @@ COPY ["start.sh", "/usr/bin/"] COPY ["supervisord.conf", "/etc/supervisor/conf.d/"] COPY ["files/supervisor-proc-exit-listener", "/usr/bin"] COPY ["critical_processes", "/etc/supervisor"] +COPY ["etc/wpa_supplicant.conf", "/etc/wpa_supplicant.conf"] -# ENTRYPOINT ["/usr/bin/supervisord"] +ENTRYPOINT ["/usr/local/bin/supervisord"] diff --git a/dockers/docker-macsec/critical_processes b/dockers/docker-macsec/critical_processes index e69de29bb2d1..e11933a7547f 100644 --- a/dockers/docker-macsec/critical_processes +++ b/dockers/docker-macsec/critical_processes @@ -0,0 +1 @@ +program:macsecmgrd diff --git a/dockers/docker-macsec/etc/wpa_supplicant.conf b/dockers/docker-macsec/etc/wpa_supplicant.conf new file mode 100644 index 000000000000..a49bf6767d8a --- /dev/null +++ b/dockers/docker-macsec/etc/wpa_supplicant.conf @@ -0,0 +1,3 @@ +eapol_version=3 +ap_scan=0 +fast_reauth=1 \ No newline at end of file diff --git a/dockers/docker-macsec/supervisord.conf b/dockers/docker-macsec/supervisord.conf index e69de29bb2d1..5bd0af35887b 100644 --- a/dockers/docker-macsec/supervisord.conf +++ b/dockers/docker-macsec/supervisord.conf @@ -0,0 +1,38 @@ +[supervisord] +logfile_maxbytes=1MB +logfile_backups=2 +nodaemon=true + +[eventlistener:dependent-startup] +command=python3 -m supervisord_dependent_startup +autostart=true +autorestart=unexpected +startretries=0 +exitcodes=0,3 +events=PROCESS_STATE +buffer_size=25 + +[eventlistener:supervisor-proc-exit-listener] +command=/usr/bin/supervisor-proc-exit-listener --container-name macsec +events=PROCESS_STATE_EXITED,PROCESS_STATE_RUNNING +autostart=true +autorestart=unexpected + +[program:rsyslogd] +command=/usr/sbin/rsyslogd -n -iNONE +priority=1 +autostart=false +autorestart=false +stdout_logfile=syslog +stderr_logfile=syslog +dependent_startup=true + +[program:macsecmgrd] +command=/usr/bin/macsecmgrd +priority=2 +autostart=false +autorestart=false +stdout_logfile=syslog +stderr_logfile=syslog +dependent_startup=true +dependent_startup_wait_for=rsyslogd:running \ No newline at end of file diff --git a/files/build_templates/init_cfg.json.j2 b/files/build_templates/init_cfg.json.j2 index 0cf85cd8ab06..b8ed7c1453e7 100644 --- a/files/build_templates/init_cfg.json.j2 +++ b/files/build_templates/init_cfg.json.j2 @@ -34,6 +34,7 @@ {%- if include_nat == "y" %}{% do features.append(("nat", "disabled", false, "enabled")) %}{% endif %} {%- if include_restapi == "y" %}{% do features.append(("restapi", "enabled", false, "enabled")) %}{% endif %} {%- if include_sflow == "y" %}{% do features.append(("sflow", "disabled", false, "enabled")) %}{% endif %} +{%- if include_macsec == "y" %}{% do features.append(("macsec", "disabled", false, "enabled")) %}{% endif %} {%- if include_system_telemetry == "y" %}{% do features.append(("telemetry", "enabled", true, "enabled")) %}{% endif %} "FEATURE": { {# has_timer field if set, will start the feature systemd .timer unit instead of .service unit #} diff --git a/files/build_templates/macsec.service.j2 b/files/build_templates/macsec.service.j2 new file mode 100644 index 000000000000..85229d1aea10 --- /dev/null +++ b/files/build_templates/macsec.service.j2 @@ -0,0 +1,17 @@ +[Unit] +Description=MACsec container +Requires=swss.service +After=swss.service syncd.service +StartLimitIntervalSec=1200 +StartLimitBurst=3 + +[Service] +User=root +ExecStartPre=/usr/bin/macsec.sh start +ExecStart=/usr/bin/macsec.sh wait +ExecStop=/usr/bin/macsec.sh stop +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/rules/config b/rules/config index 433bbeedebf0..b45ce2152806 100644 --- a/rules/config +++ b/rules/config @@ -146,6 +146,9 @@ INCLUDE_NAT = y # run as worker node in kubernetes cluster. INCLUDE_KUBERNETES = n +# INCLUDE_MACSEC - build docker-macsec for macsec support +INCLUDE_MACSEC = y + # KUBERNETES_VERSION - Set to the required version. # K8s_GCR_IO_PAUSE_VERSION - Version of k8s universal pause container image # These are Used *only* when INCLUDE_KUBERNETES=y diff --git a/rules/docker-macsec.mk b/rules/docker-macsec.mk index f9f8c9b41298..e112a8fd3d8a 100644 --- a/rules/docker-macsec.mk +++ b/rules/docker-macsec.mk @@ -16,17 +16,18 @@ $(DOCKER_MACSEC)_DBG_IMAGE_PACKAGES = $($(DOCKER_CONFIG_ENGINE_BUSTER)_DBG_IMAGE $(DOCKER_MACSEC)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_BUSTER) SONIC_DOCKER_IMAGES += $(DOCKER_MACSEC) +ifeq ($(INCLUDE_MACSEC), y) SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_MACSEC) -SONIC_BUSTER_DOCKERS += $(DOCKER_MACSEC) +endif SONIC_DOCKER_DBG_IMAGES += $(DOCKER_MACSEC_DBG) +ifeq ($(INCLUDE_MACSEC), y) SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_MACSEC_DBG) -SONIC_BUSTER_DBG_DOCKERS += $(DOCKER_MACSEC_DBG) +endif $(DOCKER_MACSEC)_CONTAINER_NAME = macsec $(DOCKER_MACSEC)_RUN_OPT += --privileged -t $(DOCKER_MACSEC)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro $(DOCKER_MACSEC)_RUN_OPT += -v /host/warmboot:/var/warmboot -# $(DOCKER_MACSEC)_BASE_IMAGE_FILES += macsecctl:/usr/bin/macsecctl $(DOCKER_MACSEC)_FILES += $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT) diff --git a/slave.mk b/slave.mk index 33b97653c597..7bde5d23923d 100644 --- a/slave.mk +++ b/slave.mk @@ -138,6 +138,9 @@ ifeq ($(SONIC_INCLUDE_NAT),y) INCLUDE_NAT = y endif +ifeq ($(SONIC_INCLUDE_MACSEC),y) +INCLUDE_MACSEC = y +endif include $(RULES_PATH)/functions @@ -252,6 +255,7 @@ $(info "INCLUDE_RESTAPI" : "$(INCLUDE_RESTAPI)") $(info "INCLUDE_SFLOW" : "$(INCLUDE_SFLOW)") $(info "INCLUDE_NAT" : "$(INCLUDE_NAT)") $(info "INCLUDE_KUBERNETES" : "$(INCLUDE_KUBERNETES)") +$(info "INCLUDE_MACSEC" : "$(INCLUDE_MACSEC)") $(info "TELEMETRY_WRITABLE" : "$(TELEMETRY_WRITABLE)") $(info "PDDF_SUPPORT" : "$(PDDF_SUPPORT)") $(info ) @@ -892,6 +896,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \ export include_restapi="$(INCLUDE_RESTAPI)" export include_nat="$(INCLUDE_NAT)" export include_sflow="$(INCLUDE_SFLOW)" + export include_macsec="$(INCLUDE_MACSEC)" export include_mgmt_framework="$(INCLUDE_MGMT_FRAMEWORK)" export include_iccpd="$(INCLUDE_ICCPD)" export pddf_support="$(PDDF_SUPPORT)" diff --git a/src/wpasupplicant/sonic-wpa-supplicant b/src/wpasupplicant/sonic-wpa-supplicant index 3b330db4a331..7b6c1604a5e0 160000 --- a/src/wpasupplicant/sonic-wpa-supplicant +++ b/src/wpasupplicant/sonic-wpa-supplicant @@ -1 +1 @@ -Subproject commit 3b330db4a331d591cea5a1f3e820435181625793 +Subproject commit 7b6c1604a5e0fa5cf092d844eb7c2a64ae2b8ea6