From 3437e35f7e0cc258b39ba5cef1e659b66c85b9f5 Mon Sep 17 00:00:00 2001
From: Suvarna Meenakshi <sumeenak@microsoft.com>
Date: Fri, 19 Aug 2022 18:46:47 +0000
Subject: [PATCH 1/2] [caclmgrd][chassis]: Add ip tables rules to accept
internal docker traffic from fabric asic namespaces.
Signed-off-by: Suvarna Meenakshi <sumeenak@microsoft.com>
---
scripts/caclmgrd | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/scripts/caclmgrd b/scripts/caclmgrd
index 19e42a8b48a8..9974a16cd109 100755
--- a/scripts/caclmgrd
+++ b/scripts/caclmgrd
@@ -135,22 +135,26 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
self.config_db_map[front_asic_namespace] = swsscommon.ConfigDBConnector(use_unix_socket_path=True, namespace=front_asic_namespace)
self.config_db_map[front_asic_namespace].connect()
- self.iptables_cmd_ns_prefix[front_asic_namespace] = "ip netns exec " + front_asic_namespace + " "
- self.namespace_docker_mgmt_ip[front_asic_namespace] = self.get_namespace_mgmt_ip(self.iptables_cmd_ns_prefix[front_asic_namespace],
- front_asic_namespace)
- self.namespace_docker_mgmt_ipv6[front_asic_namespace] = self.get_namespace_mgmt_ipv6(self.iptables_cmd_ns_prefix[front_asic_namespace],
- front_asic_namespace)
+ self.update_docker_mgmt_ip_acl(front_asic_namespace)
for back_asic_namespace in namespaces['back_ns']:
self.update_thread[back_asic_namespace] = None
self.lock[back_asic_namespace] = threading.Lock()
self.num_changes[back_asic_namespace] = 0
-
- self.iptables_cmd_ns_prefix[back_asic_namespace] = "ip netns exec " + back_asic_namespace + " "
- self.namespace_docker_mgmt_ip[back_asic_namespace] = self.get_namespace_mgmt_ip(self.iptables_cmd_ns_prefix[back_asic_namespace],
- back_asic_namespace)
- self.namespace_docker_mgmt_ipv6[back_asic_namespace] = self.get_namespace_mgmt_ipv6(self.iptables_cmd_ns_prefix[back_asic_namespace],
- back_asic_namespace)
+ self.update_docket_mgmt_ip_acl(back_asic_namespace)
+
+ for fabric_asic_namespace in namespaces['fabric_ns']:
+ self.update_thread[fabric_asic_namespace] = None
+ self.lock[fabric_asic_namespace] = threading.Lock()
+ self.num_changes[fabric_asic_namespace] = 0
+ self.update_docket_mgmt_ip_acl(fabric_asic_namespace)
+
+ def update_docket_mgmt_ip_acl(self, namespace):
+ self.iptables_cmd_ns_prefix[namespace] = "ip netns exec " + namespace + " "
+ self.namespace_docker_mgmt_ip[namespace] = self.get_namespace_mgmt_ip(self.iptables_cmd_ns_prefix[namespace],
+ namespace)
+ self.namespace_docker_mgmt_ipv6[namespace] = self.get_namespace_mgmt_ipv6(self.iptables_cmd_ns_prefix[namespace],
+ namespace)
def get_namespace_mgmt_ip(self, iptable_ns_cmd_prefix, namespace):
ip_address_get_command = iptable_ns_cmd_prefix + "ip -4 -o addr show " + ("eth0" if namespace else "docker0") +\
From 35c76cb3e7cc712ac18e74171535b26a238aa971 Mon Sep 17 00:00:00 2001
From: Suvarna Meenakshi <sumeenak@microsoft.com>
Date: Fri, 2 Sep 2022 17:05:32 +0000
Subject: [PATCH 2/2] Add unit-test and fix typo.
Signed-off-by: Suvarna Meenakshi <sumeenak@microsoft.com>
---
scripts/caclmgrd | 6 ++--
.../caclmgrd_namespace_docker_ip_test.py | 29 +++++++++++++++++++
2 files changed, 32 insertions(+), 3 deletions(-)
create mode 100644 tests/caclmgrd/caclmgrd_namespace_docker_ip_test.py
diff --git a/scripts/caclmgrd b/scripts/caclmgrd
index 9974a16cd109..ede67707b8dc 100755
--- a/scripts/caclmgrd
+++ b/scripts/caclmgrd
@@ -141,15 +141,15 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
self.update_thread[back_asic_namespace] = None
self.lock[back_asic_namespace] = threading.Lock()
self.num_changes[back_asic_namespace] = 0
- self.update_docket_mgmt_ip_acl(back_asic_namespace)
+ self.update_docker_mgmt_ip_acl(back_asic_namespace)
for fabric_asic_namespace in namespaces['fabric_ns']:
self.update_thread[fabric_asic_namespace] = None
self.lock[fabric_asic_namespace] = threading.Lock()
self.num_changes[fabric_asic_namespace] = 0
- self.update_docket_mgmt_ip_acl(fabric_asic_namespace)
+ self.update_docker_mgmt_ip_acl(fabric_asic_namespace)
- def update_docket_mgmt_ip_acl(self, namespace):
+ def update_docker_mgmt_ip_acl(self, namespace):
self.iptables_cmd_ns_prefix[namespace] = "ip netns exec " + namespace + " "
self.namespace_docker_mgmt_ip[namespace] = self.get_namespace_mgmt_ip(self.iptables_cmd_ns_prefix[namespace],
namespace)
diff --git a/tests/caclmgrd/caclmgrd_namespace_docker_ip_test.py b/tests/caclmgrd/caclmgrd_namespace_docker_ip_test.py
new file mode 100644
index 000000000000..0a15aeacb9c7
--- /dev/null
+++ b/tests/caclmgrd/caclmgrd_namespace_docker_ip_test.py
@@ -0,0 +1,29 @@
+import os
+import sys
+
+from sonic_py_common.general import load_module_from_source
+from unittest import TestCase, mock
+
+class TestCaclmgrdNamespaceDockerIP(TestCase):
+ """
+ Test caclmgrd Namespace docker management IP
+ """
+ def setUp(self):
+ test_path = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+ modules_path = os.path.dirname(test_path)
+ scripts_path = os.path.join(modules_path, "scripts")
+ sys.path.insert(0, modules_path)
+ caclmgrd_path = os.path.join(scripts_path, 'caclmgrd')
+ self.caclmgrd = load_module_from_source('caclmgrd', caclmgrd_path)
+ self.maxDiff = None
+
+ def test_caclmgrd_namespace_docker_ip(self):
+ self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ip = mock.MagicMock(return_value=[])
+ self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ipv6 = mock.MagicMock(return_value=[])
+ with mock.patch('sonic_py_common.multi_asic.get_all_namespaces',
+ return_value={'front_ns': ['asic0'], 'back_ns': ['asic1'], 'fabric_ns': ['asic2']}):
+ caclmgrd_daemon = self.caclmgrd.ControlPlaneAclManager("caclmgrd")
+ self.assertTrue('asic0' in caclmgrd_daemon.namespace_docker_mgmt_ip)
+ self.assertTrue('asic1' in caclmgrd_daemon.namespace_docker_mgmt_ip)
+ self.assertTrue('asic2' in caclmgrd_daemon.namespace_docker_mgmt_ip)
+ self.assertListEqual(caclmgrd_daemon.namespace_docker_mgmt_ip['asic0'], [])