Skip to content

[MACsec]: Set MACsec feature to be auto-start#6678

Merged
lguohan merged 4 commits intosonic-net:masterfrom
Pterosaur:macsec_start
Feb 23, 2021
Merged

[MACsec]: Set MACsec feature to be auto-start#6678
lguohan merged 4 commits intosonic-net:masterfrom
Pterosaur:macsec_start

Conversation

@Pterosaur
Copy link
Copy Markdown
Contributor

@Pterosaur Pterosaur commented Feb 4, 2021
edited
Loading

Signed-off-by: Ze Gan ganze718@gmail.com

- Why I did it
I want the MACsec feature can be automatically enabled.

- How I did it

  1. Add supervisord as the entrypoint of docker-macsec
  2. Add wpa_supplicant conf into docker-macsec
  3. Set the macsecmgrd as the critical_process
  4. Configure supervisor to monitor macsecmgrd
  5. Set macsec in the features list
  6. Add config variable INCLUDE_MACSEC
  7. Add macsec.service

- How to verify it
Change the /etc/sonic/config_db.json as follow

{
    "PORT": {
        "Ethernet0": {
            ...
            "macsec": "test"
         }
    }
    ...
    "MACSEC_PROFILE": {
        "test": {
            "priority": 64,
            "cipher_suite": "GCM-AES-128",
            "primary_cak": "0123456789ABCDEF0123456789ABCDEF",
            "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
            "policy": "security"
        }
    }
}

To execute sudo config reload -y, We should find the following new items were inserted in app_db of redis

127.0.0.1:6379> keys *MAC*
1) "MACSEC_EGRESS_SC_TABLE:Ethernet0:72152375678227538"
2) "MACSEC_PORT_TABLE:Ethernet0"
127.0.0.1:6379> hgetall "MACSEC_EGRESS_SC_TABLE:Ethernet0:72152375678227538"
1) "ssci"
2) ""
3) "encoding_an"
4) "0"
127.0.0.1:6379> hgetall "MACSEC_PORT_TABLE:Ethernet0"
 1) "enable"
 2) "false"
 3) "cipher_suite"
 4) "GCM-AES-128"
 5) "enable_protect"
 6) "true"
 7) "enable_encrypt"
 8) "true"
 9) "enable_replay_protect"
10) "false"
11) "replay_window"
12) "0"

- Description for the changelog

Set MACsec feature can auto start

- A picture of a cute animal (not mandatory but encouraged)
🐉

This PR depends on: sonic-net/sonic-swss#1627

@Pterosaur Pterosaur force-pushed the macsec_start branch 2 times, most recently from 43c84c2 to fd5f4b7 Compare February 4, 2021 09:55
@Pterosaur Pterosaur mentioned this pull request Feb 8, 2021
Merged
@Pterosaur
Set MACsec to be auto-start
d3ba5bb 
Signed-off-by: Ze Gan <ganze718@gmail.com>
@Pterosaur Pterosaur marked this pull request as ready for review February 8, 2021 06:41
@Pterosaur
Update sonic-utility submodule to support macsec config reload
7456a74 
Signed-off-by: Ze Gan <ganze718@gmail.com>
lguohan
lguohan previously approved these changes Feb 19, 2021
View reviewed changes
lguohan
lguohan reviewed Feb 19, 2021
View reviewed changes
files/build_templates/init_cfg.json.j2 Outdated
{%- if include_nat == "y" %}{% do features.append(("nat", "disabled", false, "enabled")) %}{% endif %}
{%- if include_restapi == "y" %}{% do features.append(("restapi", "enabled", false, "enabled")) %}{% endif %}
{%- if include_sflow == "y" %}{% do features.append(("sflow", "disabled", false, "enabled")) %}{% endif %}
{%- if include_macsec == "y" %}{% do features.append(("macsec", "enabled", false, "enabled")) %}{% endif %}
Copy link
Copy Markdown
Collaborator

@lguohan lguohan Feb 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mark it as disable by default

@Pterosaur
Make MACsec feature is disabled by default
082ea18 
Signed-off-by: Ze Gan <ganze718@gmail.com>
@Pterosaur Pterosaur requested a review from lguohan February 20, 2021 01:21
@lguohan lguohan merged commit 4068944 into sonic-net:master Feb 23, 2021
@Pterosaur Pterosaur deleted the macsec_start branch February 24, 2021 02:14
carl-nokia pushed a commit to carl-nokia/sonic-buildimage that referenced this pull request Aug 7, 2021
@Pterosaur
[MACsec]: Set MACsec feature to be auto-start (sonic-net#6678)
dc720f4 
1. Add supervisord as the entrypoint of docker-macsec
2. Add wpa_supplicant conf into docker-macsec
3. Set the macsecmgrd as the critical_process
4. Configure supervisor to monitor macsecmgrd
5. Set macsec in the features list
6. Add config variable `INCLUDE_MACSEC`
7. Add macsec.service

**- How to verify it**

Change the `/etc/sonic/config_db.json` as follow
```
{
    "PORT": {
        "Ethernet0": {
            ...
            "macsec": "test"
         }
    }
    ...
    "MACSEC_PROFILE": {
        "test": {
            "priority": 64,
            "cipher_suite": "GCM-AES-128",
            "primary_cak": "0123456789ABCDEF0123456789ABCDEF",
            "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
            "policy": "security"
        }
    }
}
```
To execute `sudo config reload -y`, We should find the following new items were inserted in app_db of redis
```
127.0.0.1:6379> keys *MAC*
1) "MACSEC_EGRESS_SC_TABLE:Ethernet0:72152375678227538"
2) "MACSEC_PORT_TABLE:Ethernet0"
127.0.0.1:6379> hgetall "MACSEC_EGRESS_SC_TABLE:Ethernet0:72152375678227538"
1) "ssci"
2) ""
3) "encoding_an"
4) "0"
127.0.0.1:6379> hgetall "MACSEC_PORT_TABLE:Ethernet0"
 1) "enable"
 2) "false"
 3) "cipher_suite"
 4) "GCM-AES-128"
 5) "enable_protect"
 6) "true"
 7) "enable_encrypt"
 8) "true"
 9) "enable_replay_protect"
10) "false"
11) "replay_window"
12) "0"
```

Signed-off-by: Ze Gan <ganze718@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lguohan lguohan lguohan approved these changes

@qiluo-msft qiluo-msft Awaiting requested review from qiluo-msft qiluo-msft is a code owner

@xumia xumia Awaiting requested review from xumia xumia is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Pterosaur @lguohan