From 9779560b63a57b3e8cbb2a92f9d339b8aa679172 Mon Sep 17 00:00:00 2001 From: abdosi <58047199+abdosi@users.noreply.github.com> Date: Wed, 27 Jan 2021 08:36:10 -0800 Subject: [PATCH] [baseimage]: Updates for Ebtables and support for multi-asic (#6542) Following changes were done for ebtables: - Support for Multi-asic platforms. Ebtable filters are installed in namespace for multi-asic and not host. On Single asic installed on host. - For Multi-asic platforms we don't want to install on host otherwise Namespace-to-Namespace communication does not happens since ARP Request are not forwarded. - Updated to use text file to restore ebtables rules then the binary format. Rules are restore as part of Database docker init instead of rc.local - Removed the ebtable service files for buster as not needed as filters are restored/installed as part of database docker init. All the binaries are pre-installed with ebtables* binary are same as ebatbles-legacy-* Signed-off-by: Abhishek Dosi --- build_debian.sh | 7 +------ files/build_templates/docker_image_ctl.j2 | 14 ++++++++++++++ files/image_config/platform/rc.local | 9 --------- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/build_debian.sh b/build_debian.sh index de9b34f90007..ad8d44aceeee 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -465,13 +465,8 @@ if [ "${enable_organization_extensions}" = "y" ]; then fi fi -## Setup ebtable rules (rule file is in binary format) -sudo cp -f files/image_config/ebtables/ebtables.default $FILESYSTEM_ROOT/etc/default/ebtables -sudo cp -f files/image_config/ebtables/ebtables.init $FILESYSTEM_ROOT/etc/init.d/ebtables -sudo cp -f files/image_config/ebtables/ebtables.service $FILESYSTEM_ROOT/lib/systemd/system/ebtables.service +## Setup ebtable rules (rule file in text format) sudo cp files/image_config/ebtables/ebtables.filter.cfg ${FILESYSTEM_ROOT}/etc -sudo LANG=C chroot $FILESYSTEM_ROOT update-alternatives --set ebtables /usr/sbin/ebtables-legacy -sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable ebtables.service ## Debug Image specific changes ## Update motd for debug image diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2 index 7d3198d9f681..ec7a15a03327 100644 --- a/files/build_templates/docker_image_ctl.j2 +++ b/files/build_templates/docker_image_ctl.j2 @@ -42,6 +42,18 @@ function updateSyslogConf() rm -rf $TMP_FILE fi } +function ebtables_config() +{ + if [ "$DEV" ]; then + # Install ebtables filter in namespaces on multi-asic. + ip netns exec $NET_NS ebtables-restore < /etc/ebtables.filter.cfg + else + if [[ ! ($NUM_ASIC -gt 1) ]]; then + # Install ebtables filter in host for single asic. + ebtables-restore < /etc/ebtables.filter.cfg + fi + fi +} function getMountPoint() { @@ -98,6 +110,8 @@ function postStartAction() docker exec -i database$DEV sysctl --system -e link_namespace $DEV fi + # Setup ebtables configuration + ebtables_config # Wait until supervisord and redis starts. This change is needed # because now database_config.json is jinja2 templated based diff --git a/files/image_config/platform/rc.local b/files/image_config/platform/rc.local index 878345106c95..a537a751602e 100755 --- a/files/image_config/platform/rc.local +++ b/files/image_config/platform/rc.local @@ -186,12 +186,6 @@ program_console_speed() systemctl daemon-reload } -ebtables_config() -{ - # Generate atomic config file and save it persistent - /usr/sbin/ebtables-restore < /etc/ebtables.filter.cfg - /usr/sbin/ebtables -t filter --atomic-file /etc/ebtables.filter --atomic-save -} #### Begin Main Body #### @@ -362,9 +356,6 @@ if [ -f $FIRST_BOOT_FILE ]; then # Create dir where following scripts put their output files mkdir -p /var/platform - # Firsttime ebtables configuration - ebtables_config - firsttime_exit fi