Merge branch 'sonic-net:master' into master

Author: i-davydenko

data/debian/sonic-host-services-data.aaastatsd.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=AAA Statistics Collection daemon
 Requires=hostcfgd.service
-After=hostcfgd.service updategraph.service
+After=hostcfgd.service config-setup.service
 BindsTo=sonic.target
 After=sonic.target
 

data/debian/sonic-host-services-data.caclmgrd.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=Control Plane ACL configuration daemon
-Requires=updategraph.service
-After=updategraph.service
+Requires=config-setup.service
+After=config-setup.service
 BindsTo=sonic.target
 After=sonic.target
 

data/debian/sonic-host-services-data.determine-reboot-cause.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=Reboot cause determination service
-Requires=rc-local.service database.service
-After=rc-local.service database.service
+Requires=rc-local.service
+After=rc-local.service
 
 [Service]
 Type=oneshot

data/debian/sonic-host-services-data.featured.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=Feature configuration daemon
-Requires=updategraph.service
-After=updategraph.service
+Requires=config-setup.service
+After=config-setup.service
 BindsTo=sonic.target
 After=sonic.target
 

data/debian/sonic-host-services-data.hostcfgd.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=Host config enforcer daemon
-Requires=updategraph.service
-After=updategraph.service
+Requires=config-setup.service
+After=config-setup.service
 BindsTo=sonic.target
 After=sonic.target
 

data/debian/sonic-host-services-data.procdockerstatsd.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=Process and docker CPU/memory utilization data export daemon
-Requires=database.service updategraph.service
-After=database.service updategraph.service
+Requires=database.service config-setup.service
+After=database.service config-setup.service
 BindsTo=sonic.target
 After=sonic.target
 

data/debian/sonic-host-services-data.sonic-hostservice.service

@@ -12,5 +12,5 @@ RestartSec=10
 TimeoutStopSec=3
 
 [Install]
-WantedBy=mgmt-framework.service telemetry.service
+WantedBy=mgmt-framework.service telemetry.service gnmi.service
 

scripts/caclmgrd

@@ -806,6 +806,12 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
             self.log_info("  " + ' '.join(cmd))
 
         self.run_commands(iptables_cmds)
+        if self.bfdAllowed:
+            self.allow_bfd_protocol(namespace)
+        if self.VxlanAllowed:
+            fvs = swsscommon.FieldValuePairs([("src_ip", self.VxlanSrcIP)])
+            self.allow_vxlan_port(namespace, fvs)
+
 
         self.update_control_plane_nat_acls(namespace, service_to_source_ip_map, config_db_connector)
 

scripts/hostcfgd

@@ -1804,6 +1804,7 @@ class HostConfigDaemon:
             def callback(table, key, data):
                 if data is None:
                     op = "DEL"
+                    data = {}
                 else:
                     op = "SET"
                 return func(key, op, data)

scripts/procdockerstatsd

@@ -5,11 +5,12 @@ Daemon which periodically gathers process and docker statistics and pushes the d
 '''
 
 import os
+import psutil
 import re
 import subprocess
 import sys
 import time
-from datetime import datetime
+from datetime import datetime, timedelta
 
 from sonic_py_common import daemon_base
 from swsscommon import swsscommon
@@ -136,18 +137,30 @@ class ProcDockerStats(daemon_base.DaemonBase):
         return True
 
     def update_processstats_command(self):
-        cmd0 = ["ps", "-eo", "uid,pid,ppid,%mem,%cpu,stime,tty,time,cmd", "--sort", "-%cpu"]
-        cmd1 = ["head", "-1024"]
-        exitcode, data = getstatusoutput_noshell_pipe(cmd0, cmd1)
-        if any(exitcode):
-            cmd = ' | '.join([' '.join(cmd0), ' '.join(cmd1)])
-            self.log_error("Error running command '{}'".format(cmd))
-            data = None
-        processdata = self.format_process_cmd_output(data)
-        value = ""
+        processdata = []
+        for process in psutil.process_iter(['pid', 'ppid', 'memory_percent', 'cpu_percent', 'create_time', 'cmdline']):
+            try:
+                uid = process.uids()[0]
+                pid = process.pid
+                ppid = process.ppid()
+                mem = process.memory_percent()
+                cpu = process.cpu_percent()
+                stime = process.create_time()
+                stime_formatted = datetime.utcfromtimestamp(stime).strftime("%b%d")
+                tty = process.terminal()
+                ttime = process.cpu_times()
+                time_formatted = str(timedelta(seconds=int(ttime.user + ttime.system)))
+                cmd = ' '.join(process.cmdline())
+
+                row = {'PID': pid, 'UID': uid, 'PPID': ppid, '%CPU': cpu, '%MEM': mem, 'STIME': stime_formatted,  'TT': tty, 'TIME': time_formatted, 'CMD': cmd}
+                processdata.append(row)
+            except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess):
+                pass
+
         # wipe out all data before updating with new values
         self.state_db.delete_all_by_pattern('STATE_DB', 'PROCESS_STATS|*')
-        for row in processdata[0:]:
+
+        for row in processdata:
             cid = row.get('PID')
             if cid:
                 value = 'PROCESS_STATS|{}'.format(cid)
@@ -157,7 +170,7 @@ class ProcDockerStats(daemon_base.DaemonBase):
                 self.update_state_db(value, 'PPID', ppid)
                 cpu = row.get('%CPU')
                 self.update_state_db(value, '%CPU', str(cpu))
-                mem = row.get('%MEM')
+                mem = round(row.get('%MEM'), 1)
                 self.update_state_db(value, '%MEM', str(mem))
                 stime = row.get('STIME')
                 self.update_state_db(value, 'STIME', stime)

setup.py

@@ -47,6 +47,7 @@
         'systemd-python',
         'Jinja2>=2.10',
         'PyGObject',
+        'psutil'
     ] + sonic_dependencies,
     setup_requires = [
         'pytest-runner',
@@ -57,7 +58,8 @@
         'pytest',
         'pyfakefs',
         'sonic-py-common',
-        'deepdiff==6.2.2'
+        'deepdiff==6.2.2',
+        'psutil'
     ],
     extras_require = {
         "testing": [

tests/caclmgrd/caclmgrd_bfd_test.py

@@ -1,6 +1,6 @@
 import os
 import sys
-import swsscommon
+from swsscommon import swsscommon
 
 from parameterized import parameterized
 from sonic_py_common.general import load_module_from_source
@@ -18,7 +18,7 @@ class TestCaclmgrdBfd(TestCase):
         Test caclmgrd bfd
     """
     def setUp(self):
-        swsscommon.swsscommon.ConfigDBConnector = MockConfigDb
+        swsscommon.ConfigDBConnector = MockConfigDb
         test_path = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
         modules_path = os.path.dirname(test_path)
         scripts_path = os.path.join(modules_path, "scripts")
@@ -48,4 +48,9 @@ def test_caclmgrd_bfd(self, test_name, test_data, fs):
                 caclmgrd_daemon = self.caclmgrd.ControlPlaneAclManager("caclmgrd")
                 caclmgrd_daemon.allow_bfd_protocol('')
                 mocked_subprocess.Popen.assert_has_calls(test_data["expected_subprocess_calls"], any_order=True)
+                caclmgrd_daemon.bfdAllowed = True
+                mocked_subprocess.Popen.reset_mock()
+                caclmgrd_daemon.num_changes[''] = 1
+                caclmgrd_daemon.check_and_update_control_plane_acls('', 1)
+                mocked_subprocess.Popen.assert_has_calls(test_data["expected_subprocess_calls"], any_order=True)
 

tests/caclmgrd/caclmgrd_default_rule_test.py

@@ -0,0 +1,56 @@
+import os
+import sys
+
+from swsscommon import swsscommon
+from parameterized import parameterized
+from sonic_py_common.general import load_module_from_source
+from unittest import TestCase, mock
+from pyfakefs.fake_filesystem_unittest import patchfs
+
+from .test_default_rule_vectors import CACLMGRD_DEFAULT_RULE_TEST_VECTOR
+from tests.common.mock_configdb import MockConfigDb
+
+DBCONFIG_PATH = '/var/run/redis/sonic-db/database_config.json'
+
+
+class TestCaclmgrdDefaultRule(TestCase):
+    """
+    Test caclmgrd default deny rule
+    1. Default deny rule NOT EXISTS when there is no CACL rule.
+    2. Default deny rule EXISTS when there is at least one CACL rules.
+    """
+    def setUp(self):
+        swsscommon.ConfigDBConnector = MockConfigDb
+        test_path = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+        modules_path = os.path.dirname(test_path)
+        scripts_path = os.path.join(modules_path, "scripts")
+        sys.path.insert(0, modules_path)
+        caclmgrd_path = os.path.join(scripts_path, 'caclmgrd')
+        self.caclmgrd = load_module_from_source('caclmgrd', caclmgrd_path)
+        self.maxDiff = None
+
+        self.default_deny_rule_v4 = ('iptables', '-A', 'INPUT', '-j', 'DROP')
+        self.default_deny_rule_v6 = ('ip6tables', '-A', 'INPUT', '-j', 'DROP')
+
+    @parameterized.expand(CACLMGRD_DEFAULT_RULE_TEST_VECTOR)
+    @patchfs
+    def test_caclmgrd_default_rule(self, test_name, test_data, fs):
+        if not os.path.exists(DBCONFIG_PATH):
+            fs.create_file(DBCONFIG_PATH)  # fake database_config.json
+
+        MockConfigDb.set_config_db(test_data["config_db"])
+        self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ip = mock.MagicMock()
+        self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ipv6 = mock.MagicMock()
+        self.caclmgrd.ControlPlaneAclManager.generate_block_ip2me_traffic_iptables_commands = mock.MagicMock(return_value=[])
+        self.caclmgrd.ControlPlaneAclManager.get_chain_list = mock.MagicMock(return_value=["INPUT", "FORWARD", "OUTPUT"])
+        self.caclmgrd.ControlPlaneAclManager.get_chassis_midplane_interface_ip = mock.MagicMock(return_value='')
+        caclmgrd_daemon = self.caclmgrd.ControlPlaneAclManager("caclmgrd")
+
+        iptables_rules_ret, _ = caclmgrd_daemon.get_acl_rules_and_translate_to_iptables_commands('', MockConfigDb())
+        iptables_rules_ret = [tuple(i) for i in iptables_rules_ret]
+        if test_data['default_deny']:
+            self.assertIn(self.default_deny_rule_v4, iptables_rules_ret)
+            self.assertIn(self.default_deny_rule_v6, iptables_rules_ret)
+        else:
+            self.assertNotIn(self.default_deny_rule_v4, iptables_rules_ret)
+            self.assertNotIn(self.default_deny_rule_v6, iptables_rules_ret)

tests/caclmgrd/caclmgrd_vxlan_test.py

@@ -55,4 +55,9 @@ def test_caclmgrd_vxlan(self, test_name, test_data, fs):
                 mocked_subprocess.Popen.assert_has_calls(test_data["expected_add_subprocess_calls"], any_order=True)
                 caclmgrd_daemon.block_vxlan_port('')
                 mocked_subprocess.Popen.assert_has_calls(test_data["expected_del_subprocess_calls"], any_order=True)
+                caclmgrd_daemon.allow_vxlan_port('', data)
+                mocked_subprocess.Popen.reset_mock()
+                caclmgrd_daemon.num_changes[''] = 1
+                caclmgrd_daemon.check_and_update_control_plane_acls('', 1)
+                mocked_subprocess.Popen.assert_has_calls(test_data["expected_add_subprocess_calls"], any_order=True)
 

tests/caclmgrd/test_default_rule_vectors.py

@@ -0,0 +1,68 @@
+from unittest.mock import call
+import subprocess
+
+"""
+caclmgrd default rule test vector
+"""
+CACLMGRD_DEFAULT_RULE_TEST_VECTOR = [
+    (
+        "No CACL rules -> Default deny rule NOT EXISTS",
+        {
+            "config_db": {
+                "ACL_RULE": {},
+                "ACL_TABLE": {
+                    "SSH_ONLY": {
+                        "policy_desc": "SSH_ONLY",
+                        "services": [
+                            "SSH"
+                        ],
+                        "stage": "ingress",
+                        "type": "CTRLPLANE"
+                    }
+                },
+                "DEVICE_METADATA": {
+                    "localhost": {
+                    }
+                },
+                "FEATURE": {},
+            },
+            "return": [],
+            "default_deny": False,
+        }
+    ),
+    (
+        "At least one CACL rules -> Default deny rule EXISTS",
+        {
+            "config_db": {
+                "ACL_RULE": {
+                    "SSH_ONLY|RULE_22": {
+                        "PACKET_ACTION": "ACCEPT",
+                        "PRIORITY": "9978",
+                        "SRC_IPV6": "2001::23/128"
+                    },
+                },
+                "ACL_TABLE": {
+                    "SSH_ONLY": {
+                        "policy_desc": "SSH_ONLY",
+                        "services": [
+                            "SSH"
+                        ],
+                        "stage": "ingress",
+                        "type": "CTRLPLANE"
+                    }
+                },
+                "DEVICE_METADATA": {
+                    "localhost": {
+                    }
+                },
+                "FEATURE": {},
+            },
+            "return": [
+                ['ip6tables', '-A', 'INPUT', '-p', 'tcp', '-s', '2001::23/128', '--dport', '22', '-j', 'ACCEPT'],
+                ['iptables', '-A', 'INPUT', '-j', 'DROP'],
+                ['ip6tables', '-A', 'INPUT', '-j', 'DROP'],
+            ],
+            "default_deny": True,
+        }
+    ),
+]

tests/common/mock_configdb.py

@@ -51,13 +51,17 @@ def set_entry(self, key, field, data):
 
     def get_table(self, table_name):
         data = {}
-        for k, v in MockConfigDb.CONFIG_DB[table_name].items():
-            data[self.deserialize_key(k)] = v
+        if table_name in MockConfigDb.CONFIG_DB:
+            for k, v in MockConfigDb.CONFIG_DB[table_name].items():
+                data[self.deserialize_key(k)] = v
         return data
 
     def subscribe(self, table_name, callback):
         self.handlers[table_name] = callback
 
+    def publish(self, table_name, key, op, data):
+        self.handlers[table_name](key, op, data)
+
     def listen(self, init_data_handler=None):
         for e in MockConfigDb.event_queue:
             self.handlers[e[0]](e[0], e[1], self.get_entry(e[0], e[1]))

tests/hostcfgd/hostcfgd_tacacs_test.py

@@ -192,3 +192,43 @@ def test_hostcfgd_sshd_not_empty(self, test_name, test_data):
             ]
             mocked_syslog.assert_has_calls(expected)
 
+    @parameterized.expand(HOSTCFGD_TEST_TACACS_VECTOR)
+    def test_hostcfgd_delete_config_table(self, test_name, test_data):
+        """
+            Test hostcfd delete config table check
+
+            Args:
+                test_name(str): test name
+                test_data(dict): test data which contains initial Config Db tables, and expected results
+
+            Returns:
+                None
+        """
+        config_name = "config_db_local"
+        op_path = output_path + "/" + test_name + "_" + config_name
+        sop_path = sample_output_path + "/" +  test_name + "_" + config_name
+        host_config_daemon = self.mock_hostcfgd(test_data, config_name, op_path, sop_path)
+        host_config_daemon.register_callbacks()
+
+        # render with delete config table
+        original_syslog = hostcfgd.syslog
+        with mock.patch('hostcfgd.syslog.syslog') as mocked_syslog:
+            mocked_syslog.LOG_INFO = original_syslog.LOG_INFO
+            mocked_syslog.LOG_ERR = original_syslog.LOG_ERR
+
+            # simulate subscribe callback
+            try:
+                host_config_daemon.__dict__['config_db'].publish('AAA', 'authorization', 'DEL', None)
+            except TypeError as e:
+                assert False
+
+            # check sys log
+            expected = [
+                mock.call(mocked_syslog.LOG_INFO, "file size check pass: {} size is (2139) bytes".format(hostcfgd.ETC_PAMD_SSHD)),
+                mock.call(mocked_syslog.LOG_INFO, "file size check pass: {} size is (4951) bytes".format(hostcfgd.ETC_PAMD_LOGIN)),
+                mock.call(mocked_syslog.LOG_INFO, "Found audisp-tacplus PID: "),
+                mock.call(mocked_syslog.LOG_INFO, "cmd - ['service', 'aaastatsd', 'stop']"),
+                mock.call(mocked_syslog.LOG_ERR, "['service', 'aaastatsd', 'stop'] - failed: return code - 1, output:\nNone"),
+                mock.call(mocked_syslog.LOG_INFO, "AAA Update: key: DEL, op: DEL, data: {}")
+            ]
+            mocked_syslog.assert_has_calls(expected)