From e66cb47ac1096bf1e37dc77a52f02426ab833cd9 Mon Sep 17 00:00:00 2001
From: abdosi <58047199+abdosi@users.noreply.github.com>
Date: Wed, 1 Jul 2020 15:58:53 -0700
Subject: [PATCH] [sonic-buildimage] Changes to make network specific sysctl
 common for both host and docker namespace (#4838)

* [sonic-buildimage] Changes to make network specific sysctl
common for both host and docker namespace (in multi-npu).

This change is triggered with issue found in multi-npu platforms
where in docker namespace
net.ipv6.conf.all.forwarding was 0 (should be 1) because of
which RS/RA message were triggered and link-local router were learnt.

Beside this there were some other sysctl.net.ipv6* params whose value
in docker namespace is not same as host namespace.

So to make we are always in sync in host and docker namespace
created common file that list all sysctl.net.* params and used
both by host and docker namespace. Any change will get applied
to both namespace.

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>

* Address Review Comments and made sure to invoke augtool
only one and do string concatenation of all set commands

* Address Review Comments.
---
 build_debian.sh                           | 57 +++++------------------
 dockers/docker-database/Dockerfile.j2     |  1 +
 files/build_templates/docker_image_ctl.j2 |  2 +-
 files/image_config/sysctl/sysctl-net.conf | 39 ++++++++++++++++
 rules/docker-database.mk                  |  2 +-
 rules/scripts.mk                          |  8 ++--
 6 files changed, 58 insertions(+), 51 deletions(-)
 create mode 100644 files/image_config/sysctl/sysctl-net.conf

diff --git a/build_debian.sh b/build_debian.sh
index 550585c176ec..be973ea4a83c 100755
--- a/build_debian.sh
+++ b/build_debian.sh
@@ -389,61 +389,26 @@ rm /files/lib/systemd/system/rsyslog.service/Service/ExecStart/arguments
 set /files/lib/systemd/system/rsyslog.service/Service/ExecStart/arguments/1 -n
 "
 
-## Config sysctl
 sudo mkdir -p $FILESYSTEM_ROOT/var/core
+
+# Config sysctl
 sudo augtool --autosave "
 set /files/etc/sysctl.conf/kernel.core_pattern '|/usr/bin/coredump-compress %e %t %p'
-
 set /files/etc/sysctl.conf/kernel.softlockup_panic 1
 set /files/etc/sysctl.conf/kernel.panic 10
 set /files/etc/sysctl.conf/vm.panic_on_oom 2
 set /files/etc/sysctl.conf/fs.suid_dumpable 2
+" -r $FILESYSTEM_ROOT
 
-set /files/etc/sysctl.conf/net.ipv4.conf.default.forwarding 1
-set /files/etc/sysctl.conf/net.ipv4.conf.all.forwarding 1
-set /files/etc/sysctl.conf/net.ipv4.conf.eth0.forwarding 0
-
-set /files/etc/sysctl.conf/net.ipv4.conf.default.arp_accept 0
-set /files/etc/sysctl.conf/net.ipv4.conf.default.arp_announce 0
-set /files/etc/sysctl.conf/net.ipv4.conf.default.arp_filter 0
-set /files/etc/sysctl.conf/net.ipv4.conf.default.arp_notify 0
-set /files/etc/sysctl.conf/net.ipv4.conf.default.arp_ignore 0
-set /files/etc/sysctl.conf/net.ipv4.conf.all.arp_accept 0
-set /files/etc/sysctl.conf/net.ipv4.conf.all.arp_announce 1
-set /files/etc/sysctl.conf/net.ipv4.conf.all.arp_filter 0
-set /files/etc/sysctl.conf/net.ipv4.conf.all.arp_notify 1
-set /files/etc/sysctl.conf/net.ipv4.conf.all.arp_ignore 2
-
-set /files/etc/sysctl.conf/net.ipv4.neigh.default.base_reachable_time_ms 1800000
-set /files/etc/sysctl.conf/net.ipv6.neigh.default.base_reachable_time_ms 1800000
-set /files/etc/sysctl.conf/net.ipv4.neigh.default.gc_thresh1 1024
-set /files/etc/sysctl.conf/net.ipv6.neigh.default.gc_thresh1 1024
-set /files/etc/sysctl.conf/net.ipv4.neigh.default.gc_thresh2 2048
-set /files/etc/sysctl.conf/net.ipv6.neigh.default.gc_thresh2 2048
-set /files/etc/sysctl.conf/net.ipv4.neigh.default.gc_thresh3 4096
-set /files/etc/sysctl.conf/net.ipv6.neigh.default.gc_thresh3 4096
-
-set /files/etc/sysctl.conf/net.ipv6.conf.default.forwarding 1
-set /files/etc/sysctl.conf/net.ipv6.conf.all.forwarding 1
-set /files/etc/sysctl.conf/net.ipv6.conf.eth0.forwarding 0
-
-set /files/etc/sysctl.conf/net.ipv6.conf.default.accept_dad 0
-set /files/etc/sysctl.conf/net.ipv6.conf.all.accept_dad 0
-set /files/etc/sysctl.conf/net.ipv6.conf.eth0.accept_dad 0
-
-set /files/etc/sysctl.conf/net.ipv6.conf.default.keep_addr_on_down 1
-set /files/etc/sysctl.conf/net.ipv6.conf.all.keep_addr_on_down 1
-set /files/etc/sysctl.conf/net.ipv6.conf.eth0.keep_addr_on_down 1
-
-set /files/etc/sysctl.conf/net.ipv4.tcp_l3mdev_accept 1
-set /files/etc/sysctl.conf/net.ipv4.udp_l3mdev_accept 1
-
-set /files/etc/sysctl.conf/net.core.rmem_max 2097152
-set /files/etc/sysctl.conf/net.core.wmem_max 2097152
-
-set /files/etc/sysctl.conf/net.core.somaxconn 512
+sysctl_net_cmd_string=""
+while read line; do
+  [[ "$line" =~ ^#.*$ ]] && continue
+  sysctl_net_conf_key=`echo $line | awk -F '=' '{print $1}'`
+  sysctl_net_conf_value=`echo $line | awk -F '=' '{print $2}'`
+  sysctl_net_cmd_string=$sysctl_net_cmd_string"set /files/etc/sysctl.conf/$sysctl_net_conf_key $sysctl_net_conf_value"$'\n'
+done < files/image_config/sysctl/sysctl-net.conf
 
-" -r $FILESYSTEM_ROOT
+sudo augtool --autosave "$sysctl_net_cmd_string" -r $FILESYSTEM_ROOT
 
 ## docker Python API package is needed by Ansible docker module
 sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip install 'docker==4.1.0'
diff --git a/dockers/docker-database/Dockerfile.j2 b/dockers/docker-database/Dockerfile.j2
index e14be96e8592..cf62d6868dd8 100644
--- a/dockers/docker-database/Dockerfile.j2
+++ b/dockers/docker-database/Dockerfile.j2
@@ -40,6 +40,7 @@ COPY ["docker-database-init.sh", "/usr/local/bin/"]
 COPY ["database_config.json.j2", "/usr/share/sonic/templates/"]
 COPY ["database_global.json.j2", "/usr/share/sonic/templates/"]
 COPY ["files/supervisor-proc-exit-listener", "/usr/bin"]
+COPY ["files/sysctl-net.conf", "/etc/sysctl.d/"]
 COPY ["critical_processes", "/etc/supervisor"]
 
 ENTRYPOINT ["/usr/local/bin/docker-database-init.sh"]
diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2
index 0a0461795944..2ddc18a8ce9b 100644
--- a/files/build_templates/docker_image_ctl.j2
+++ b/files/build_templates/docker_image_ctl.j2
@@ -91,7 +91,7 @@ function postStartAction()
 {
 {%- if docker_container_name == "database" %}
     if [ "$DEV" ]; then
-        docker exec -i database$DEV sysctl -w net.ipv6.conf.all.disable_ipv6=0
+        docker exec -i database$DEV sysctl --system -e
         link_namespace $DEV
     fi
 
diff --git a/files/image_config/sysctl/sysctl-net.conf b/files/image_config/sysctl/sysctl-net.conf
new file mode 100644
index 000000000000..62fda3a8ca91
--- /dev/null
+++ b/files/image_config/sysctl/sysctl-net.conf
@@ -0,0 +1,39 @@
+# All the sysctl for ipv4/ipv6 network.
+# Same will be used in host or docker namespace
+# It should be provided as key=value format for parsing
+net.ipv6.conf.all.disable_ipv6=0
+net.ipv4.conf.default.forwarding=1
+net.ipv4.conf.all.forwarding=1
+net.ipv4.conf.eth0.forwarding=0
+net.ipv4.conf.default.arp_accept=0
+net.ipv4.conf.default.arp_announce=0
+net.ipv4.conf.default.arp_filter=0
+net.ipv4.conf.default.arp_notify=0
+net.ipv4.conf.default.arp_ignore=0
+net.ipv4.conf.all.arp_accept=0
+net.ipv4.conf.all.arp_announce=1
+net.ipv4.conf.all.arp_filter=0
+net.ipv4.conf.all.arp_notify=1
+net.ipv4.conf.all.arp_ignore=2
+net.ipv4.neigh.default.base_reachable_time_ms=1800000
+net.ipv6.neigh.default.base_reachable_time_ms=1800000
+net.ipv4.neigh.default.gc_thresh1=1024
+net.ipv6.neigh.default.gc_thresh1=1024
+net.ipv4.neigh.default.gc_thresh2=2048
+net.ipv6.neigh.default.gc_thresh2=2048
+net.ipv4.neigh.default.gc_thresh3=4096
+net.ipv6.neigh.default.gc_thresh3=4096
+net.ipv6.conf.default.forwarding=1
+net.ipv6.conf.all.forwarding=1
+net.ipv6.conf.eth0.forwarding=0
+net.ipv6.conf.default.accept_dad=0
+net.ipv6.conf.all.accept_dad=0
+net.ipv6.conf.eth0.accept_dad=0
+net.ipv6.conf.default.keep_addr_on_down=1
+net.ipv6.conf.all.keep_addr_on_down=1
+net.ipv6.conf.eth0.keep_addr_on_down=1
+net.ipv4.tcp_l3mdev_accept=1
+net.ipv4.udp_l3mdev_accept=1
+net.core.rmem_max=2097152
+net.core.wmem_max=2097152
+net.core.somaxconn=512
diff --git a/rules/docker-database.mk b/rules/docker-database.mk
index 8062c3b147a5..7cfd8f0bf21e 100644
--- a/rules/docker-database.mk
+++ b/rules/docker-database.mk
@@ -24,4 +24,4 @@ $(DOCKER_DATABASE)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro
 
 $(DOCKER_DATABASE)_BASE_IMAGE_FILES += redis-cli:/usr/bin/redis-cli
 $(DOCKER_DATABASE)_BASE_IMAGE_FILES += monit_database:/etc/monit/conf.d
-$(DOCKER_DATABASE)_FILES += $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)
+$(DOCKER_DATABASE)_FILES += $(SYSCTL_NET_CONFIG) $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)
diff --git a/rules/scripts.mk b/rules/scripts.mk
index 8c6d0324fc0e..b3ed0cab95f8 100644
--- a/rules/scripts.mk
+++ b/rules/scripts.mk
@@ -14,10 +14,12 @@ $(QOS_CONFIG_TEMPLATE)_PATH = files/build_templates
 SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT = supervisor-proc-exit-listener
 $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)_PATH = files/scripts
 
+SYSCTL_NET_CONFIG = sysctl-net.conf
+$(SYSCTL_NET_CONFIG)_PATH = files/image_config/sysctl
+
 SONIC_COPY_FILES += $(CONFIGDB_LOAD_SCRIPT) \
                     $(ARP_UPDATE_SCRIPT) \
                     $(BUFFERS_CONFIG_TEMPLATE) \
                     $(QOS_CONFIG_TEMPLATE) \
-                    $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)
-
-
+                    $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT) \
+                    $(SYSCTL_NET_CONFIG)