[teammgr]: Waiting MACsec ready before doLagMemberTask #2286
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Ze Gan <[email protected]>
Signed-off-by: Ze Gan <[email protected]>
judyjoseph
reviewed
May 25, 2022
judyjoseph
reviewed
May 25, 2022
Signed-off-by: Ze Gan <[email protected]>
judyjoseph
added
Request for 202205 Branch
Requested for 202205 branch
and removed
Request for 202205 Branch
labels
Earlier we were checking for Macsec Port creation.
7 tasks
Just check for macsec attached to interface is enough. Can later plan to introduce the yang model validation for macsec leaf in PORT if needed.
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
prsunny
reviewed
Jun 23, 2022
|
The coverage tool has a false negative to this PR. Because I truly got the "missing(declared by coverage)" line from syslog. I think The most functions have been covered by our test case. @prsunny Could you please help to merge this PR? |
|
|
judyjoseph
approved these changes
Jul 4, 2022
There was a problem hiding this comment.
Validated this logic is applied only on ports with macsec configured.. @prsunny to comment - the coverage details added by Ze looks not in sync with logs
Agree with Ze and Judy that this is a false negative. @theasianpianist for viz |
dprital
added a commit
to dprital/sonic-buildimage
that referenced
this pull request
Jul 7, 2022
Update sonic-swss submodule pointer to include the following: * Port configuration incremental update support ([sonic-net#2305](sonic-net/sonic-swss#2305)) * [VS Test] Skip failing subport tests ([sonic-net#2370](sonic-net/sonic-swss#2370)) * [teammgr]: Waiting MACsec ready before doLagMemberTask ([sonic-net#2286](sonic-net/sonic-swss#2286)) * [vnetorch] [vxlanorch] fix a set of memory usage issues ([sonic-net#2352](sonic-net/sonic-swss#2352)) * [tests] [asan] add graceful stop flag ([sonic-net#2347](sonic-net/sonic-swss#2347)) * [asan] suppress the static variable leaks ([sonic-net#2354](sonic-net/sonic-swss#2354)) * Add support for IP interface loopback action ([sonic-net#2307](sonic-net/sonic-swss#2307)) * [orchagent]: srv6orch support for uSID ([sonic-net#2335](sonic-net/sonic-swss#2335)) Signed-off-by: dprital <[email protected]>
7 tasks
liat-grozovik
pushed a commit
to sonic-net/sonic-buildimage
that referenced
this pull request
Jul 14, 2022
Update sonic-swss submodule pointer to include the following: * Port configuration incremental update support ([#2305](sonic-net/sonic-swss#2305)) * [VS Test] Skip failing subport tests ([#2370](sonic-net/sonic-swss#2370)) * [teammgr]: Waiting MACsec ready before doLagMemberTask ([#2286](sonic-net/sonic-swss#2286)) * [vnetorch] [vxlanorch] fix a set of memory usage issues ([#2352](sonic-net/sonic-swss#2352)) * [tests] [asan] add graceful stop flag ([#2347](sonic-net/sonic-swss#2347)) * [asan] suppress the static variable leaks ([#2354](sonic-net/sonic-swss#2354)) * Add support for IP interface loopback action ([#2307](sonic-net/sonic-swss#2307)) * [orchagent]: srv6orch support for uSID ([#2335](sonic-net/sonic-swss#2335)) Signed-off-by: dprital <[email protected]>
yxieca
pushed a commit
that referenced
this pull request
Jul 17, 2022
Signed-off-by: Ze Gan [email protected], Judy Joseph [email protected] What I did If a member of portchannel has macsec profile attached in config, enable MACsec on the port before it's been added as a member of portchannel. Why I did it Due to some hardware limitation, cannot enable MACsec on a member of portchannel. So we enable the macsec on interface first and then add it as part of portchannel. Note: This is a work around which will be removed when h/w supports it future releases. The approach taken in this PR is In the teamdMgr when an interface is added as part of the LAG, we wait for the macsecPort creation done in SAI and Ingress SA creation complete (if macsec is enabled on the interface) The above takes care of config reload, reboot scenario's where we cannot guarantee the sequence of macsec attach to interface, add interface as part of portchannel. If we do a manual removal of port from portchannel, or remove macsec config from the interface, Please follow this steps First remove the portchannel member out of portchannel Remove the macsec profile attached to interface. How I verified it Verified with config reload, reboot with the macsec profile attached to portchannel member interfaces. Verified case when SAK rekey is enabled on macsec on portchannel members Verified case when member interface link flaps
preetham-singh
pushed a commit
to preetham-singh/sonic-swss
that referenced
this pull request
Aug 6, 2022
Signed-off-by: Ze Gan [email protected], Judy Joseph [email protected] What I did If a member of portchannel has macsec profile attached in config, enable MACsec on the port before it's been added as a member of portchannel. Why I did it Due to some hardware limitation, cannot enable MACsec on a member of portchannel. So we enable the macsec on interface first and then add it as part of portchannel. Note: This is a work around which will be removed when h/w supports it future releases. The approach taken in this PR is In the teamdMgr when an interface is added as part of the LAG, we wait for the macsecPort creation done in SAI and Ingress SA creation complete (if macsec is enabled on the interface) The above takes care of config reload, reboot scenario's where we cannot guarantee the sequence of macsec attach to interface, add interface as part of portchannel. If we do a manual removal of port from portchannel, or remove macsec config from the interface, Please follow this steps First remove the portchannel member out of portchannel Remove the macsec profile attached to interface. How I verified it Verified with config reload, reboot with the macsec profile attached to portchannel member interfaces. Verified case when SAK rekey is enabled on macsec on portchannel members Verified case when member interface link flaps
abdosi
added a commit
to sonic-net/sonic-mgmt
that referenced
this pull request
Nov 15, 2023
…#10732) What I did: macsec workaround for portchannel as define here sonic-net/sonic-swss#2286 applies only to dnx platforms. This workaround causes failure of macsec bgp protocol testcase on platforms that does not need this workaround. How I verify: Test case passes after this change.
mssonicbld
pushed a commit
to mssonicbld/sonic-mgmt
that referenced
this pull request
Nov 20, 2023
…sonic-net#10732) What I did: macsec workaround for portchannel as define here sonic-net/sonic-swss#2286 applies only to dnx platforms. This workaround causes failure of macsec bgp protocol testcase on platforms that does not need this workaround. How I verify: Test case passes after this change.
mssonicbld
pushed a commit
to mssonicbld/sonic-mgmt
that referenced
this pull request
Nov 20, 2023
…sonic-net#10732) What I did: macsec workaround for portchannel as define here sonic-net/sonic-swss#2286 applies only to dnx platforms. This workaround causes failure of macsec bgp protocol testcase on platforms that does not need this workaround. How I verify: Test case passes after this change.
mssonicbld
pushed a commit
to sonic-net/sonic-mgmt
that referenced
this pull request
Nov 20, 2023
…#10732) What I did: macsec workaround for portchannel as define here sonic-net/sonic-swss#2286 applies only to dnx platforms. This workaround causes failure of macsec bgp protocol testcase on platforms that does not need this workaround. How I verify: Test case passes after this change.
mssonicbld
pushed a commit
to sonic-net/sonic-mgmt
that referenced
this pull request
Nov 20, 2023
…#10732) What I did: macsec workaround for portchannel as define here sonic-net/sonic-swss#2286 applies only to dnx platforms. This workaround causes failure of macsec bgp protocol testcase on platforms that does not need this workaround. How I verify: Test case passes after this change.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Ze Gan [email protected], Judy Joseph [email protected]
What I did
If a member of portchannel has macsec profile attached in config, enable MACsec on the port before it's been added as a member of portchannel.
Why I did it
Due to some hardware limitation, cannot enable MACsec on a member of portchannel.
So we enable the macsec on interface first and then add it as part of portchannel.
Note: This is a work around which will be removed when h/w supports it future releases.
The approach taken in this PR is
If we do a manual removal of port from portchannel, or remove macsec config from the interface, Please follow this steps
How I verified it
Verified with config reload, reboot with the macsec profile attached to portchannel member interfaces.
Verified case when SAK rekey is enabled on macsec on portchannel members
Verified case when member interface link flaps
Details if related