[docker-orchagent] limit privileged flag for swss container #17598

maipbui · 2024-12-18T16:07:18Z

--security-opt apparmor=unconfined --security-opt="systempaths=unconfined"

These arguments are necessary for arp/test_arp_extended.py test case

arp/test_arp_extended.py:95: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ /usr/local/lib/python3.8/dist-packages/ptf/testutils.py:3250: in verify_packet test.fail( device = 0 pkt = <Ether dst=b'fe:54:00:a3:80:01' src=22:48:23:27:33:d8 type=ARP |<ARP op=is-at hwsrc=22:48:23:27:33:d8 psrc=192.168.0...:a3:80:01' pdst=192.168.0.3 |<Raw load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>> port = 1 port_id = 1 result = PollFailure(device=None, port=None, packet=None, time=None) test = <tests.common.plugins.ptfadapter.ptfadapter.PtfTestAdapter testMethod=runTest> timeout = 10 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ self = <tests.common.plugins.ptfadapter.ptfadapter.PtfTestAdapter testMethod=runTest> msg = 'Expected packet was not received on device 0, port 1.\n========== EXPECTED ==========\ndst : DestMACField ...00 00 00 ............\n========== RECEIVED ==========\n0 total packets.\n==============================\n' def fail(self, msg=None): """Fail immediately, with the given message.""" > raise self.failureException(msg) E AssertionError: Expected packet was not received on device 0, port 1. E ========== EXPECTED ========== E dst : DestMACField = b'fe:54:00:a3:80:01' ('None') E src : SourceMACField = '22:48:23:27:33:d8' ('None') E type : XShortEnumField = 2054 ('36864') E -- E hwtype : XShortEnumField = 1 ('1') E ptype : XShortEnumField = 2048 ('2048') E hwlen : FieldLenField = None ('None') E plen : FieldLenField = None ('None') E op : ShortEnumField = 2 ('1') E hwsrc : MultipleTypeField (SourceMACField, StrFixedLenField) = '22:48:23:27:33:d8' ('None') E psrc : MultipleTypeField (SourceIPField, SourceIP6Field, StrFixedLenField) = '192.168.0.4' ('None') E hwdst : MultipleTypeField (MACField, StrFixedLenField) = b'fe:54:00:a3:80:01' ('None') E pdst : MultipleTypeField (IPField, IP6Field, StrFixedLenField) = '192.168.0.3' ('None') E -- E load : StrField = b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' ("b''") E -- E 0000 FE 54 00 A3 80 01 22 48 23 27 33 D8 08 06 00 01 .T...."H#'3..... E 0010 08 00 06 04 00 02 22 48 23 27 33 D8 C0 A8 00 04 ......"H#'3..... E 0020 FE 54 00 A3 80 01 C0 A8 00 03 00 00 00 00 00 00 .T.............. E 0030 00 00 00 00 00 00 00 00 00 00 00 00 ............ E ========== RECEIVED ========== E 0 total packets. E ============================== ``` #Closed

-Original file line number
+Diff line change
@@ Expand Up / @@ -37,7 +37,7 @@ SONIC_BOOKWORM_DBG_DOCKERS += $(DOCKER_ORCHAGENT_DBG) @@
     SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_ORCHAGENT_DBG)
     $(DOCKER_ORCHAGENT)_CONTAINER_NAME = swss
-    $(DOCKER_ORCHAGENT)_RUN_OPT += --privileged -t
+    $(DOCKER_ORCHAGENT)_RUN_OPT += -t --cap-add=NET_ADMIN --security-opt apparmor=unconfined --security-opt="systempaths=unconfined"
     $(DOCKER_ORCHAGENT)_RUN_OPT += -v /etc/network/interfaces:/etc/network/interfaces:ro
     $(DOCKER_ORCHAGENT)_RUN_OPT += -v /etc/localtime:/etc/localtime:ro
     $(DOCKER_ORCHAGENT)_RUN_OPT += -v /etc/network/interfaces.d/:/etc/network/interfaces.d/:ro
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[docker-orchagent] limit privileged flag for swss container #17598

Diff view

Diff view

There are no files selected for viewing

maipbui Dec 18, 2024 •

edited

Loading

[docker-orchagent] limit privileged flag for swss container #17598

[docker-orchagent] limit privileged flag for swss container #17598

Diff view

Diff view

There are no files selected for viewing

maipbui Dec 18, 2024 • edited Loading

Choose a reason for hiding this comment

maipbui Dec 18, 2024 •

edited

Loading