Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[docker-database] limit privileged flag for database container #19248

Merged
merged 3 commits into from
Jul 22, 2024
Merged

[docker-database] limit privileged flag for database container #19248

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f541d5f
[docker-database] limit privileged flag for database container
maipbui Jun 10, 2024
2ee1611
Merge remote-tracking branch 'upstream/master' into db_priv
maipbui Jul 16, 2024
a7fca3a
modify db priv
maipbui Jul 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion rules/docker-database.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ SONIC_BOOKWORM_DBG_DOCKERS += $(DOCKER_DATABASE_DBG)
SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_DATABASE_DBG)

$(DOCKER_DATABASE)_CONTAINER_NAME = database
$(DOCKER_DATABASE)_RUN_OPT += --privileged -t
$(DOCKER_DATABASE)_RUN_OPT += -t --security-opt apparmor=unconfined --security-opt="systempaths=unconfined"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--security-opt apparmor=unconfined --security-opt="systempaths=unconfined"

These arguments are necessary for test_snmp_loopback test case

========================================================================== FAILURES ===========================================================================
___________________________________________________________ test_snmp_loopback[vlab-08-IPv6Address] ___________________________________________________________

duthosts = [<MultiAsicSonicHost vlab-08>], enum_rand_one_per_hwsku_frontend_hostname = 'vlab-08'
nbrhosts = {'ARISTA01T0': <EosHost VM0129>, 'ARISTA01T2': <EosHost VM0128>}
tbinfo = {'auto_recover': 'False', 'comment': 'Tests multi-asic virtual switch vm', 'conf-name': 'vms-kvm-four-asic-t1-lag', 'duts': ['vlab-08'], ...}
localhost = <tests.common.devices.local.Localhost object at 0x7f0cb45781f0>
creds_all_duts = {'vlab-08': {'ansible_altpasswords': [], 'ansible_become_pass': 'password', 'ansible_ssh_pass': 'password', 'ansible_ssh_user': 'user', ...}}
ip_version = <class 'ipaddress.IPv6Address'>

    @pytest.mark.parametrize('ip_version', [ipaddress.IPv4Address, ipaddress.IPv6Address])
    def test_snmp_loopback(duthosts, enum_rand_one_per_hwsku_frontend_hostname,
                           nbrhosts, tbinfo, localhost, creds_all_duts, ip_version):
        """
        Test SNMP query to DUT over loopback IP
          - Send SNMP query over loopback IP from one of the BGP Neighbors
          - Get SysDescr from snmpfacts
          - compare result from snmp query over loopback IP and snmpfacts
        """
        duthost = duthosts[enum_rand_one_per_hwsku_frontend_hostname]
        hostip = duthost.host.options['inventory_manager'].get_host(
            duthost.hostname).vars['ansible_host']
        snmp_facts = get_snmp_facts(
            localhost, host=hostip, version="v2c",
            community=creds_all_duts[duthost.hostname]["snmp_rocommunity"], wait=True)['ansible_facts']
        config_facts = duthost.config_facts(
            host=duthost.hostname, source="persistent")['ansible_facts']
        # Get first neighbor VM information
        nbr = nbrhosts[list(nbrhosts.keys())[0]]

        for ip in config_facts['LOOPBACK_INTERFACE']['Loopback0']:
            loip = ip.split('/')[0]
            ipaddr = ipaddress.ip_address(loip)
            if not isinstance(ipaddr, ip_version):
                continue
            if isinstance(ipaddr, ipaddress.IPv6Address):
                # SNMP over IPv6 not supported in single-asic
                if not duthost.is_multi_asic:
                    skip_release(duthost, ["202211", "202205", "202305"])
            result = get_snmp_output(loip, duthost, nbr, creds_all_duts)
            assert result is not None, 'No result from snmpget'
            assert len(result['stdout_lines']) > 0, 'No result from snmpget'
            if isinstance(nbr["host"], EosHost):
                stdout_lines = result['stdout_lines'][0][0]
            else:
                stdout_lines = result['stdout_lines'][0]
>           assert "SONiC Software Version" in stdout_lines,\
                "Sysdescr not found in SNMP result from IP {}".format(ip)
E           AssertionError: Sysdescr not found in SNMP result from IP FC00:1::32/128

config_facts = {'ACL_TABLE': {'DATAACL': {'policy_desc': 'DATAACL', 'ports': ['PortChannel101', 'PortChannel102'], 'stage': 'ingress'... and/or use are subject to monitoring.\n\nHelp:    [https://sonic-net.github.io/SONiC/\n\n](https://sonic-net.github.io/SONiC/\n\n)', 'state': 'disabled'}}, ...}
creds_all_duts = {'vlab-08': {'ansible_altpasswords': [], 'ansible_become_pass': 'password', 'ansible_ssh_pass': 'password', 'ansible_ssh_user': 'user', ...}}
duthost    = <MultiAsicSonicHost vlab-08>
duthosts   = [<MultiAsicSonicHost vlab-08>]
enum_rand_one_per_hwsku_frontend_hostname = 'vlab-08'
hostip     = '10.250.0.112'
ip         = 'FC00:1::32/128'
ip_version = <class 'ipaddress.IPv6Address'>
ipaddr     = IPv6Address('fc00:1::32')
localhost  = <tests.common.devices.local.Localhost object at 0x7f0cb45781f0>
loip       = 'FC00:1::32'
nbr        = <EosHost VM0128>
nbrhosts   = {'ARISTA01T0': <EosHost VM0129>, 'ARISTA01T2': <EosHost VM0128>}
result     = {'changed': False, 'stdout': ["Timeout: No Response from FC00:1::32.\n% 'snmpget -v2c -c public FC00:1::32 .1.3.6.1.2....': 'all', 'retries': 10, 'interval': 1, 'wait_for': None, 'provider': None}}, '_ansible_no_log': None, 'failed': False}
snmp_facts = {'ansible_all_ipv4_addresses': [], 'ansible_sysCachedMemory': 1425364, 'ansible_sysTotalBuffMemory': 59620, 'ansible_sysTotalFreeMemory': 1198412, ...}
stdout_lines = 'Timeout: No Response from FC00:1::32.'
tbinfo     = {'auto_recover': 'False', 'comment': 'Tests multi-asic virtual switch vm', 'conf-name': 'vms-kvm-four-asic-t1-lag', 'duts': ['vlab-08'], ...}

snmp/test_snmp_loopback.py:49: AssertionError
====================================================================== warnings summary =======================================================================
../../../usr/local/lib/python3.8/dist-packages/paramiko/transport.py:236
  /usr/local/lib/python3.8/dist-packages/paramiko/transport.py:236: CryptographyDeprecationWarning: Blowfish has been deprecated
    "class": algorithms.Blowfish,

-- Docs: [https://docs.pytest.org/en/stable/how-to/capture-warnings.html](https://docs.pytest.org/en/stable/how-to/capture-warnings.html)
--------------------------------------------------- generated xml file: /data/sonic-mgmt/tests/logs/tr.xml ----------------------------------------------------
=================================================================== short test summary info ===================================================================
FAILED snmp/test_snmp_loopback.py::test_snmp_loopback[vlab-08-IPv6Address] - AssertionError: Sysdescr not found in SNMP result from IP FC00:1::32/128

$(DOCKER_DATABASE)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro
$(DOCKER_DATABASE)_RUN_OPT += -v /etc/timezone:/etc/timezone:ro

Expand Down
Loading