Disabling ports by adding parameter ‘-P 0’ (sonic-net#21296)

yyynini · prabhataravind · commit 068acb371e0a · 2025-03-05T18:41:48.000Z
Why I did it
There are several TCP ports bound to localhost that need to be disabled to enhance system security.

Work item tracking
Microsoft ADO (number only):
How I did it
By adding -P 0 in supervisord.conf.j2 to disable the ports.

How to verify it
Check the file for -P 0 changes, and confirm port behaviour using netstat.
diff --git a/dockers/docker-fpm-frr/frr/supervisord/supervisord.conf.j2 b/dockers/docker-fpm-frr/frr/supervisord/supervisord.conf.j2
@@ -32,7 +32,7 @@ stderr_syslog=true
 dependent_startup=true
 
 [program:mgmtd]
-command=/usr/lib/frr/mgmtd -A 127.0.0.1
+command=/usr/lib/frr/mgmtd -A 127.0.0.1 -P 0
 priority=4
 autostart=false
 autorestart=true
@@ -69,7 +69,7 @@ dependent_startup=true
 dependent_startup_wait_for=zebra:running
 
 [program:staticd]
-command=/usr/lib/frr/staticd -A 127.0.0.1
+command=/usr/lib/frr/staticd -A 127.0.0.1 -P 0
 priority=4
 autostart=false
 autorestart=false
@@ -83,7 +83,7 @@ dependent_startup_wait_for=zsocket:exited
 
 {% if DEVICE_METADATA.localhost.frr_mgmt_framework_config is defined and DEVICE_METADATA.localhost.frr_mgmt_framework_config == "true" %}
 [program:bfdd]
-command=/usr/lib/frr/bfdd -A 127.0.0.1
+command=/usr/lib/frr/bfdd -A 127.0.0.1 -P 0
 priority=4
 stopsignal=KILL
 autostart=false
@@ -99,9 +99,9 @@ dependent_startup_wait_for=zebra:running
 
 [program:bgpd]
 {% if FEATURE is defined and FEATURE.bmp is defined and FEATURE.bmp.state is defined and FEATURE.bmp.state == "enabled" %}
-command=/usr/lib/frr/bgpd -A 127.0.0.1 -M snmp -M bmp
+command=/usr/lib/frr/bgpd -A 127.0.0.1 -P 0 -M snmp -M bmp
 {% else %}
-command=/usr/lib/frr/bgpd -A 127.0.0.1 -M snmp
+command=/usr/lib/frr/bgpd -A 127.0.0.1 -P 0 -M snmp
 {% endif %}
 priority=5
 stopsignal=KILL
@@ -117,7 +117,7 @@ dependent_startup_wait_for=zsocket:exited
 
 {% if DEVICE_METADATA.localhost.frr_mgmt_framework_config is defined and DEVICE_METADATA.localhost.frr_mgmt_framework_config == "true" %}
 [program:ospfd]
-command=/usr/lib/frr/ospfd -A 127.0.0.1 -M snmp
+command=/usr/lib/frr/ospfd -A 127.0.0.1 -P 0 -M snmp
 priority=5
 stopsignal=KILL
 autostart=false
@@ -131,7 +131,7 @@ dependent_startup=true
 dependent_startup_wait_for=zebra:running
 
 [program:pimd]
-command=/usr/lib/frr/pimd -A 127.0.0.1
+command=/usr/lib/frr/pimd -A 127.0.0.1 -P 0
 priority=5
 stopsignal=KILL
 autostart=false
@@ -239,7 +239,7 @@ dependent_startup_wait_for=bgpd:running
 
 {% if DEVICE_METADATA.localhost.frr_mgmt_framework_config is defined and DEVICE_METADATA.localhost.frr_mgmt_framework_config == "true" %}
 [program:pathd]
-command=/usr/lib/frr/pathd -A 127.0.0.1
+command=/usr/lib/frr/pathd -A 127.0.0.1 -P 0
 priority=5
 stopsignal=KILL
 autostart=false
