diff --git a/dockers/docker-snmp-sv2/Dockerfile.j2 b/dockers/docker-snmp-sv2/Dockerfile.j2 index b62ff61eaf95..304c7fb44a9f 100644 --- a/dockers/docker-snmp-sv2/Dockerfile.j2 +++ b/dockers/docker-snmp-sv2/Dockerfile.j2 @@ -1,5 +1,5 @@ -{% from "dockers/dockerfile-macros.j2" import install_debian_packages, install_python_wheels, copy_files %} -FROM docker-config-engine-stretch +{% from "dockers/dockerfile-macros.j2" import install_debian_packages, install_python3_wheels, copy_files %} +FROM docker-config-engine-buster ARG docker_container_name RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%syslogtag%/;" /etc/rsyslog.conf @@ -18,7 +18,9 @@ ENV DEBIAN_FRONTEND=noninteractive # The file referenced (`/usr/share/dpkg/no-pie-compile.specs`) is in the `libdpkg-perl` package on Debian RUN apt-get update && \ apt-get install -y \ - curl \ + python3 \ + python3-pip \ + python3-dev \ ca-certificates \ gcc \ make \ @@ -43,11 +45,11 @@ RUN sed -i '/^#.* en_US.* /s/^#//' /etc/locale.gen RUN locale-gen # Install up-to-date version of pip -RUN curl https://bootstrap.pypa.io/get-pip.py | python3.6 +RUN pip3 install --no-cache-dir setuptools wheel # Install pyyaml dependency for use by some plugins # Install smbus dependency for use by some plugins -RUN python3.6 -m pip install --no-cache-dir \ +RUN python3 -m pip install --no-cache-dir \ hiredis \ pyyaml \ smbus @@ -57,15 +59,14 @@ RUN python3.6 -m pip install --no-cache-dir \ {{ copy_files("python-wheels/", docker_snmp_sv2_whls.split(' '), "/python-wheels/") }} # Install locally-built Python wheel dependencies -{{ install_python_wheels(docker_snmp_sv2_whls.split(' ')) }} +{{ install_python3_wheels(docker_snmp_sv2_whls.split(' ')) }} {% endif %} -RUN python3.6 -m sonic_ax_impl install +RUN python3 -m sonic_ax_impl install # Clean up RUN apt-get -y purge \ - libpython3.6-dev \ - libpython3.6 \ + python3-dev \ curl \ gcc \ make \ diff --git a/dockers/docker-snmp-sv2/supervisord.conf b/dockers/docker-snmp-sv2/supervisord.conf index 992292330552..6af6ae965b17 100644 --- a/dockers/docker-snmp-sv2/supervisord.conf +++ b/dockers/docker-snmp-sv2/supervisord.conf @@ -34,7 +34,7 @@ stdout_logfile=syslog stderr_logfile=syslog [program:snmp-subagent] -command=/usr/bin/env python3.6 -m sonic_ax_impl +command=/usr/bin/env python3 -m sonic_ax_impl priority=4 autostart=false autorestart=false diff --git a/dockers/dockerfile-macros.j2 b/dockers/dockerfile-macros.j2 index 408ee9fec622..8a4a3ae01411 100644 --- a/dockers/dockerfile-macros.j2 +++ b/dockers/dockerfile-macros.j2 @@ -9,6 +9,10 @@ RUN dpkg_apt() { [ -f $1 ] && { dpkg -i $1 || apt-get -y install -f; } || return RUN cd /python-wheels/ && pip install {{ packages | join(' ') }} {%- endmacro %} +{% macro install_python3_wheels(packages) -%} +RUN cd /python-wheels/ && pip3 install {{ packages | join(' ') }} +{%- endmacro %} + {% macro copy_files(prefix, files, dest) -%} COPY \ {%- for file in files %} diff --git a/rules/docker-snmp-sv2.mk b/rules/docker-snmp-sv2.mk index 59f99ac78bc7..7eebf0c56ff1 100644 --- a/rules/docker-snmp-sv2.mk +++ b/rules/docker-snmp-sv2.mk @@ -7,23 +7,21 @@ DOCKER_SNMP_SV2_DBG = $(DOCKER_SNMP_SV2_STEM)-$(DBG_IMAGE_MARK).gz $(DOCKER_SNMP_SV2)_PATH = $(DOCKERS_PATH)/docker-snmp-sv2 ## TODO: remove LIBPY3_DEV if we can get pip3 directly -$(DOCKER_SNMP_SV2)_DEPENDS += $(SNMP) $(SNMPD) $(PY3) $(LIBPY3_DEV) +$(DOCKER_SNMP_SV2)_DEPENDS += $(SNMP) $(SNMPD) -$(DOCKER_SNMP_SV2)_DBG_DEPENDS = $($(DOCKER_CONFIG_ENGINE_STRETCH)_DBG_DEPENDS) +$(DOCKER_SNMP_SV2)_DBG_DEPENDS = $($(DOCKER_CONFIG_ENGINE_BUSTER)_DBG_DEPENDS) $(DOCKER_SNMP_SV2)_DBG_DEPENDS += $(SNMP_DBG) $(SNMPD_DBG) $(LIBSNMP_DBG) -$(DOCKER_SNMP_SV2)_DBG_IMAGE_PACKAGES = $($(DOCKER_CONFIG_ENGINE_STRETCH)_DBG_IMAGE_PACKAGES) +$(DOCKER_SNMP_SV2)_DBG_IMAGE_PACKAGES = $($(DOCKER_CONFIG_ENGINE_BUSTER)_DBG_IMAGE_PACKAGES) $(DOCKER_SNMP_SV2)_PYTHON_WHEELS += $(SONIC_PLATFORM_COMMON_PY3) $(SWSSSDK_PY3) $(ASYNCSNMP_PY3) -$(DOCKER_SNMP_SV2)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_STRETCH) +$(DOCKER_SNMP_SV2)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_BUSTER) SONIC_DOCKER_IMAGES += $(DOCKER_SNMP_SV2) SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_SNMP_SV2) -SONIC_STRETCH_DOCKERS += $(DOCKER_SNMP_SV2) SONIC_DOCKER_DBG_IMAGES += $(DOCKER_SNMP_SV2_DBG) SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_SNMP_SV2_DBG) -SONIC_STRETCH_DBG_DOCKERS += $(DOCKER_SNMP_SV2_DBG) $(DOCKER_SNMP_SV2)_CONTAINER_NAME = snmp $(DOCKER_SNMP_SV2)_RUN_OPT += --privileged -t diff --git a/rules/python3.mk b/rules/python3.mk deleted file mode 100644 index d9d19d8d1f97..000000000000 --- a/rules/python3.mk +++ /dev/null @@ -1,35 +0,0 @@ -PYTHON_VER=3.6.0-1 -PYTHON_PNAME=python3.6 - -export PYTHON_VER -export PYTHON_PNAME - -LIBPY3_MIN = lib$(PYTHON_PNAME)-minimal_$(PYTHON_VER)_$(CONFIGURED_ARCH).deb -$(LIBPY3_MIN)_SRC_PATH = $(SRC_PATH)/python3 -$(LIBPY3_MIN)_DEPENDS += -$(LIBPY3_MIN)_RDEPENDS += -SONIC_MAKE_DEBS += $(LIBPY3_MIN) - -LIBPY3_STD = lib$(PYTHON_PNAME)-stdlib_$(PYTHON_VER)_$(CONFIGURED_ARCH).deb -$(eval $(call add_derived_package,$(LIBPY3_MIN),$(LIBPY3_STD))) -$(LIBPY3_STD)_DEPENDS += $(LIBMPDECIMAL) -$(LIBPY3_STD)_RDEPENDS += $(LIBPY3_MIN) $(LIBMPDECIMAL) - -LIBPY3 = lib$(PYTHON_PNAME)_$(PYTHON_VER)_$(CONFIGURED_ARCH).deb -$(eval $(call add_derived_package,$(LIBPY3_MIN),$(LIBPY3))) -$(LIBPY3)_DEPENDS += $(LIBPY3_STD) -$(LIBPY3)_RDEPENDS += $(LIBPY3_MIN) $(LIBPY3_STD) - -PY3_MIN = $(PYTHON_PNAME)-minimal_$(PYTHON_VER)_$(CONFIGURED_ARCH).deb -$(eval $(call add_derived_package,$(LIBPY3_MIN),$(PY3_MIN))) -$(PY3_MIN)_RDEPENDS += $(LIBPY3_MIN) - -PY3 = $(PYTHON_PNAME)_$(PYTHON_VER)_$(CONFIGURED_ARCH).deb -$(eval $(call add_derived_package,$(LIBPY3_MIN),$(PY3))) -$(PY3)_DEPENDS += $(PY3_MIN) $(LIBPY3_STD) -$(PY3)_RDEPENDS += $(PY3_MIN) $(LIBPY3_STD) - -LIBPY3_DEV = lib$(PYTHON_PNAME)-dev_$(PYTHON_VER)_$(CONFIGURED_ARCH).deb -$(eval $(call add_derived_package,$(LIBPY3_MIN),$(LIBPY3_DEV))) -$(LIBPY3_DEV)_DEPENDS += $(LIBPY3) $($(LIBPY3)_DEPENDS) -$(LIBPY3_DEV)_RDEPENDS += $(LIBPY3) $($(LIBPY3)_RDEPENDS) diff --git a/rules/snmpd.mk b/rules/snmpd.mk index 168cad70ef2a..cc340e92e6bb 100644 --- a/rules/snmpd.mk +++ b/rules/snmpd.mk @@ -1,7 +1,7 @@ # snmpd package SNMPD_VERSION = 5.7.3+dfsg -SNMPD_VERSION_FULL = $(SNMPD_VERSION)-1.5 +SNMPD_VERSION_FULL = $(SNMPD_VERSION)-5 export SNMPD_VERSION SNMPD_VERSION_FULL diff --git a/src/snmpd/Makefile b/src/snmpd/Makefile index 77084594d8ba..5e5c2a88098a 100644 --- a/src/snmpd/Makefile +++ b/src/snmpd/Makefile @@ -19,10 +19,7 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% : rm -rf net-snmp-$(SNMPD_VERSION) # download debian net-snmp - wget -NO net-snmp_$(SNMPD_VERSION_FULL).dsc "https://sonicstorage.blob.core.windows.net/packages/net-snmp_5.7.3+dfsg-1.5.dsc?sv=2015-04-05&sr=b&sig=vDAYAKlwi7JjF%2FesdJUyf4VIEXPsCfLhqqTqNr75zBs%3D&se=2030-10-12T13%3A59%3A45Z&sp=r" - wget -NO net-snmp_$(SNMPD_VERSION).orig.tar.xz "https://sonicstorage.blob.core.windows.net/packages/net-snmp_5.7.3+dfsg.orig.tar.xz?sv=2015-04-05&sr=b&sig=UjIh%2FTcHrIEzEV7a%2BV2ZP4ks3xHlAA3wqyxkyV7Ms8I%3D&se=2030-10-12T13%3A58%3A19Z&sp=r" - wget -NO net-snmp_$(SNMPD_VERSION_FULL).debian.tar.xz "https://sonicstorage.blob.core.windows.net/packages/net-snmp_5.7.3+dfsg-1.5.debian.tar.xz?sv=2015-04-05&sr=b&sig=xJkmxjtKXYcPe4yR%2FuCA0TXUfT40rj4XUMBaiK9CjsA%3D&se=2030-10-12T14%3A00%3A15Z&sp=r" - dpkg-source -x net-snmp_$(SNMPD_VERSION_FULL).dsc + dget -u https://sonicstorage.blob.core.windows.net/debian/pool/main/n/net-snmp/net-snmp_$(SNMPD_VERSION_FULL).dsc pushd net-snmp-$(SNMPD_VERSION) git init diff --git a/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch b/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch deleted file mode 100644 index b4a5e4a351dd..000000000000 --- a/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch +++ /dev/null @@ -1,184 +0,0 @@ -From: Andreas Henriksson -Date: Sat, 23 Dec 2017 22:25:41 +0000 -Subject: [PATCH] Port OpenSSL 1.1.0 with support for 1.0.2 - -Initial support for OpenSSL 1.1.0 - -Changes by sebastian@breakpoint.cc: -- added OpenSSL 1.0.2 glue layer for backwarts compatibility -- dropped HAVE_EVP_MD_CTX_CREATE + DESTROY and added a check for OpenSSL - version instead (and currently 1.0.2 is the only one supported). - -BTS: https://bugs.debian.org/828449 -Signed-off-by: Sebastian Andrzej Siewior ---- - apps/snmpusm.c | 43 ++++++++++++++++++++++++++++++++++++------- - configure.d/config_os_libs2 | 6 ------ - snmplib/keytools.c | 13 ++++++------- - snmplib/scapi.c | 17 +++++------------ - 4 files changed, 47 insertions(+), 32 deletions(-) - ---- a/apps/snmpusm.c -+++ b/apps/snmpusm.c -@@ -183,6 +183,31 @@ setup_oid(oid * it, size_t * len, u_char - } - - #if defined(HAVE_OPENSSL_DH_H) && defined(HAVE_LIBCRYPTO) -+ -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) -+ -+static void DH_get0_pqg(const DH *dh, -+ const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) -+{ -+ if (p != NULL) -+ *p = dh->p; -+ if (q != NULL) -+ *q = dh->q; -+ if (g != NULL) -+ *g = dh->g; -+} -+ -+static void DH_get0_key(const DH *dh, const BIGNUM **pub_key, -+ const BIGNUM **priv_key) -+{ -+ if (pub_key != NULL) -+ *pub_key = dh->pub_key; -+ if (priv_key != NULL) -+ *priv_key = dh->priv_key; -+} -+ -+#endif -+ - int - get_USM_DH_key(netsnmp_variable_list *vars, netsnmp_variable_list *dhvar, - size_t outkey_len, -@@ -190,7 +215,7 @@ get_USM_DH_key(netsnmp_variable_list *va - oid *keyoid, size_t keyoid_len) { - u_char *dhkeychange; - DH *dh; -- BIGNUM *other_pub; -+ const BIGNUM *p, *g, *pub_key, *other_pub; - u_char *key; - size_t key_len; - -@@ -205,25 +230,29 @@ get_USM_DH_key(netsnmp_variable_list *va - dh = d2i_DHparams(NULL, &cp, dhvar->val_len); - } - -- if (!dh || !dh->g || !dh->p) { -+ if (dh) -+ DH_get0_pqg(dh, &p, NULL, &g); -+ -+ if (!dh || !g || !p) { - SNMP_FREE(dhkeychange); - return SNMPERR_GENERR; - } - -- DH_generate_key(dh); -- if (!dh->pub_key) { -+ if (!DH_generate_key(dh)) { - SNMP_FREE(dhkeychange); - return SNMPERR_GENERR; - } - -- if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) { -+ DH_get0_key(dh, &pub_key, NULL); -+ -+ if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) { - SNMP_FREE(dhkeychange); - fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n", -- (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key)); -+ (unsigned long)vars->val_len, BN_num_bytes(pub_key)); - return SNMPERR_GENERR; - } - -- BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len); -+ BN_bn2bin(pub_key, dhkeychange + vars->val_len); - - key_len = DH_size(dh); - if (!key_len) { ---- a/configure.d/config_os_libs2 -+++ b/configure.d/config_os_libs2 -@@ -291,12 +291,6 @@ if test "x$tryopenssl" != "xno" -a "x$tr - AC_CHECK_LIB(${CRYPTO}, AES_cfb128_encrypt, - AC_DEFINE(HAVE_AES_CFB128_ENCRYPT, 1, - [Define to 1 if you have the `AES_cfb128_encrypt' function.])) -- -- AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_create, -- AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [], -- [Define to 1 if you have the `EVP_MD_CTX_create' function.]) -- AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [], -- [Define to 1 if you have the `EVP_MD_CTX_destroy' function.])) - fi - if echo " $transport_result_list " | $GREP "DTLS" > /dev/null; then - AC_CHECK_LIB(ssl, DTLSv1_method, ---- a/snmplib/keytools.c -+++ b/snmplib/keytools.c -@@ -149,13 +149,13 @@ generate_Ku(const oid * hashtype, u_int - */ - #ifdef NETSNMP_USE_OPENSSL - --#ifdef HAVE_EVP_MD_CTX_CREATE -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - ctx = EVP_MD_CTX_create(); - #else -- ctx = malloc(sizeof(*ctx)); -- if (!EVP_MD_CTX_init(ctx)) -- return SNMPERR_GENERR; -+ ctx = EVP_MD_CTX_new(); - #endif -+ if (!ctx) -+ return SNMPERR_GENERR; - #ifndef NETSNMP_DISABLE_MD5 - if (ISTRANSFORM(hashtype, HMACMD5Auth)) { - if (!EVP_DigestInit(ctx, EVP_md5())) -@@ -259,11 +259,10 @@ generate_Ku(const oid * hashtype, u_int - memset(buf, 0, sizeof(buf)); - #ifdef NETSNMP_USE_OPENSSL - if (ctx) { --#ifdef HAVE_EVP_MD_CTX_DESTROY -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - EVP_MD_CTX_destroy(ctx); - #else -- EVP_MD_CTX_cleanup(ctx); -- free(ctx); -+ EVP_MD_CTX_free(ctx); - #endif - } - #endif ---- a/snmplib/scapi.c -+++ b/snmplib/scapi.c -@@ -486,15 +486,10 @@ sc_hash(const oid * hashtype, size_t has - } - - /** initialize the pointer */ --#ifdef HAVE_EVP_MD_CTX_CREATE -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - cptr = EVP_MD_CTX_create(); - #else -- cptr = malloc(sizeof(*cptr)); --#if defined(OLD_DES) -- memset(cptr, 0, sizeof(*cptr)); --#else -- EVP_MD_CTX_init(cptr); --#endif -+ cptr = EVP_MD_CTX_new(); - #endif - if (!EVP_DigestInit(cptr, hashfn)) { - /* requested hash function is not available */ -@@ -507,13 +502,11 @@ sc_hash(const oid * hashtype, size_t has - /** do the final pass */ - EVP_DigestFinal(cptr, MAC, &tmp_len); - *MAC_len = tmp_len; --#ifdef HAVE_EVP_MD_CTX_DESTROY -+ -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - EVP_MD_CTX_destroy(cptr); - #else --#if !defined(OLD_DES) -- EVP_MD_CTX_cleanup(cptr); --#endif -- free(cptr); -+ EVP_MD_CTX_free(cptr); - #endif - return (rval); diff --git a/src/snmpd/patch-5.7.3+dfsg/0008-Enable-macro-DEB_BUILD_ARCH_OS-in-order-to-build-ipv.patch b/src/snmpd/patch-5.7.3+dfsg/0008-Enable-macro-DEB_BUILD_ARCH_OS-in-order-to-build-ipv.patch index f3e878077ff5..c41b5b5a6638 100644 --- a/src/snmpd/patch-5.7.3+dfsg/0008-Enable-macro-DEB_BUILD_ARCH_OS-in-order-to-build-ipv.patch +++ b/src/snmpd/patch-5.7.3+dfsg/0008-Enable-macro-DEB_BUILD_ARCH_OS-in-order-to-build-ipv.patch @@ -11,14 +11,12 @@ diff --git a/debian/rules b/debian/rules index 4c3b5b6..1fab6a4 100755 --- a/debian/rules +++ b/debian/rules -@@ -5,6 +5,7 @@ - # without -pie build fails during perl module build somehow... - export DEB_BUILD_MAINT_OPTIONS := hardening=+all,-pie +@@ -4,4 +4,5 @@ + export DEB_BUILD_MAINT_OPTIONS := hardening=+all DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) +DEB_BUILD_ARCH_OS ?= $(shell dpkg-architecture -qDEB_BUILD_ARCH_OS) LIB_VERSION = 30 - UPSTREAM_VERSION = $(shell dpkg-parsechangelog | egrep '^Version:' | cut -f 2 -d ':' | sed 's/ //' | sed 's/~dfsg.*$$//') -- 2.18.0 diff --git a/src/snmpd/patch-5.7.3+dfsg/series b/src/snmpd/patch-5.7.3+dfsg/series index 428a81eb6b22..31b251845dea 100644 --- a/src/snmpd/patch-5.7.3+dfsg/series +++ b/src/snmpd/patch-5.7.3+dfsg/series @@ -1,7 +1,5 @@ 0001-SNMP-Stop-spamming-logs-with-statfs-permission-denie.patch 0002-at.c-properly-check-return-status-from-realloc.-Than.patch -0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch -0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch 0006-From-Jiri-Cervenka-snmpd-Fixed-agentx-crashing-and-or-freezing-on-timeout.patch 0007-Linux-VRF-5.7.3-Support.patch 0008-Enable-macro-DEB_BUILD_ARCH_OS-in-order-to-build-ipv.patch diff --git a/src/sonic-snmpagent b/src/sonic-snmpagent index 7632ee89caa8..c8e5757b7f54 160000 --- a/src/sonic-snmpagent +++ b/src/sonic-snmpagent @@ -1 +1 @@ -Subproject commit 7632ee89caa8a485d68ce389f60f202fce197579 +Subproject commit c8e5757b7f5495607bbf13d936f106991c13ddf5